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Part 1 


Windows Security Essentials 


Chapter 1 


Computer Security: Are You at 
Risk? 


Every year, personal computers become more 
powerful, more complex, more connected...and 
more vulnerable. 


In 1995, when the Internet was still in its infancy, 
a leading computer security clearinghouse, the 
CERT Coordination Center, reported the discovery 
of 171 vulnerabilities that thieves and vandals 
could exploit to attack widely used operating 
systems and applications. In 2000, the number of 
newly discovered vulnerabilities jumped to 1,090; 
and in 2001, the total skyrocketed to more than 
2,500, with 37 of those flaws considered serious 
enough to warrant formal security alerts. Security 
experts predict that the number of new 
vulnerabilities in computer operating systems and 
networks will continue to increase. 


Those alerts are aimed at users of many 
operating systems and hardware platforms, of 
course, not only at those of us who run Microsoft 
Windows. But the world’s most popular operating 
system makes a tempting target. Destructive, 
fast-spreading viruses and newly discovered bugs 
in the Windows operating system make for juicy 
headlines. And for every security threat that 
makes the nightly news, a hundred more might 
be reported only on Web sites and mailing lists 
aimed at security professionals. Make no mistake 
about it: What you don’t know can hurt you. 


As personal computers weave themselves ever 
more tightly into the social and economic fabric 
of our lives, the potential for damage from 
viruses, malicious Web sites, cybervandals, and 
online thieves increases. A successful attacker 


can vaporize data files and wipe out installed 
programs on your computer, drain funds from 
your online bank and brokerage accounts, ruin 
your credit, send forged e-mail messages that 
appear to come from your address, and hijack 
your Internet connection for use in attacks on 
other computers and networks. Viruses and 
worms can scramble data and render entire 
networks unusable for days. 


The cost to clean up after a major outbreak of a 
new virus or worm can be staggering. In two 
weeks during the summer of 2001, the Code Red 
worm infected hundreds of thousands of 
computers. Computer Economics, an Internet 
research firm, estimated that the direct costs of 
removing the worm, applying software updates to 
patch the security vulnerability, and returning 
these systems to normal service reached $1 
billion, with another $1.4 billion in lost 
productivity indirectly attributable to the worm 
during that same period. Even if you're 
responsible for only a single computer, the costs 
can be significant. Imagine how much you would 
lose if the computer that runs your business were 
rendered unusable for several days or a week and 
all your saved files were destroyed. 


Fortunately, you don’t need a degree in computer 
science to protect your computer. We wrote this 
book with the specific intent of helping ordinary 
Windows users break through the haze of 
misinformation, myth, and technobabble that 
defines most of the currently available 
information about Windows security. If you want 
to take control of your personal computer and 
protect yourself from online threats, you’ve come 
to the right place. Our focus is on vulnerabilities 
and threats that affect anyone running Windows 


XP (Home Edition or Professional) or Windows 
2000 Professional. We'll explain how each 
vulnerability works, how it can affect you, and 
how you can close the security hole. 


As the title suggests, this book 
focuses on Windows XP (Home Edition 
and Professional) and Windows 2000 
Professional. If you’re using Windows 
95, Windows 98, or Windows Me, 
some of the information in this book 
will be relevant to you, but most of 
our recommendations rely on features 
found only in Windows XP and its 
predecessor, Windows 2000. Both of 
these operating systems were 
designed from the ground up with 
security in mind; features such as the 
NTFS file system, built-in encryption, 
and support for multiple users are 
essential building blocks of a 
comprehensive computer security 
program. If you’re serious about 
protecting your personal computer 
and you’re still running an older 
version of Windows, we’ve got one 
word of advice: Upgrade. 


In this chapter, we examine the most common 
threats to your computer’s security and list the 
basic steps you need to take as part of a 
comprehensive security program. In Chapter 2, 
we describe the arsenal of security tools and 
technologies built into Windows 2000 and 
Windows XP and explain how you can put them to 
best use. In the remainder of the book, we 
explore each type of threat in detail, providing in- 
depth technical information, expert tips, 


additional resources, and checklists you can use 
to stop even the most determined intruder. 


Balancing Safety and 
Convenience 


Let’s start with a simple, inescapable truth: There 
is no such thing as a perfectly secure personal 
computer, just as there is no such thing as a 
perfectly secure house. 


Keeping your personal data and your Internet 
connection safe from hostile software and 
unwelcome visitors is, by definition, a balancing 
act. Some of the features available in Windows 
that ease your online life can inadvertently 
expose confidential information to an untrusted 
stranger. For instance, a feature in Microsoft 
Internet Explorer called AutoComplete allows you 
to save logon names and passwords associated 
with Web sites so that you can access your data 
with a single click instead of having to remember 
your password and enter it each time. But that 
time-saving trick works equally well for any 
person who sits down at your computer. In a 
matter of minutes, anyone with physical access 
to your computer can poke around in your 
banking records, record sensitive information, 
and even transfer funds. 


To protect yourself, you can disable features of 
the operating system and its components that 
pose unnecessary risks to your security. You can 
increase the complexity of the passwords you use 
to access your computer and online accounts. You 
can also add third-party security software and 
hardware devices to make life more difficult for 
intruders. Unfortunately, each additional layer of 
security also makes performing even simple 
computing tasks more difficult for you. (For a 
much more detailed discussion of these 


fundamental security concepts, see “The Ten 
Immutable Laws of Security,” reprinted in 
Appendix A.) 


How do you find the right balance between 
security and convenience? The role of the 
computer and the value of the data stored there 
determine the level of security that’s appropriate. 
If you’re an analyst for the Central Intelligence 
Agency or an auditor for a multinational bank, 
you need world-class security, and you should be 
prepared to pay a steep price for that level of 
protection. On the other hand, if you have a 
home computer located in your den, accessible 
only to members of your family, you can tip the 
scales in favor of convenience. 


Before you can decide how to protect yourself, 
however, you need to understand the different 
types of threats that confront every computer 
user, every day. 


Know Your Enemy: Seven 
Threats to Your Computer's 
Security 


If you pay attention only to the mainstream 
media, you might think that credit card thieves 
and occasional outbreaks of e-mail-borne viruses 
are the only serious threats to your computer and 
its data. Nothing could be further from the truth. 
Attacks can come from just about anywhere, 
including your own office. According to a 2002 
study by the Computer Security Institute and the 
San Francisco office of the FBI, 38 percent of the 
businesses surveyed experienced unauthorized 
access to their systems and data by insiders— 
disgruntled current or former employees. And 
some of the most serious attacks on the global 
Internet in recent years have come as a result of 
“Trojan horse” programs planted on Windows 
computers by technically unsophisticated 
amateur attackers. 


In this section, we list seven common categories 
of threats you’re likely to encounter. 


Threat #1: Physical Attacks 


The most basic breach of your computer’s 
security doesn’t require the attacker to have any 
technical skill at all. If you leave a notebook 
computer unattended for even a few seconds ina 
busy airport or train station, a thief can pick it up 
and carry it away, along with all your personal 
data and access to any passwords stored there. 
Stealing a desktop computer is logistically more 
challenging, but the resulting loss can be equally 
disastrous. And don’t assume that a complex, 
hard-to-guess password or even well-encrypted 
files will protect you. If a technically savvy crook 
can cart away your computer, he (the 
overwhelming majority of malicious hackers and 
high-tech thieves are male) can work on it for 
days or weeks; given enough time, bad guys can 
break into any computer, no matter how well it’s 
protected. 


As bad as that sounds, some physical attacks on 
your computer can be even more devastating. 
Consider the consequences, for instance, if you 
leave your office door unlocked and your 
computer on and unlocked while you go to lunch 
or a meeting. A brief absence is long enough for 
an intruder to sneak into your office, sit down at 
the keyboard, and copy data files to a floppy disk 
or upload them to another computer over the 
Internet. A malicious intruder could sabotage 
your work by altering numbers in a spreadsheet 
or changing the wording of a contract or letter. A 
really determined spy could even install 
surveillance software that runs in the background 
on your computer, sending the information to a 
remote computer. 


Figure 1-1, for instance, shows the remote 
console of an infamous remote control program 
called Back Orifice. The server program is small 
enough to fit on a floppy disk, installs in a few 
seconds, and is nearly undetectable when 
running on the victim’s computer. Using the 
remote console, an attacker can take full control 
of the victim’s computer—transferring files and 
folders, modifying the Windows registry, and 
(using the controls shown here) recording details 
of every keystroke—including passwords, credit 
card numbers, confidential memos, online chat 
sessions, and love letters. 


“-Figure 1-1. An attacker who gets physical 
access to your computer for even a few 
minutes can install surveillance software and 
literally take control of your computer from a 
remote location. 


For more details about how you can 
detect and remove Trojan horses and 


other remote control software, see 
Repairing_an Infected System. 


Physical Security: A Checklist 


As the experts at the Microsoft 
Security Response Center note, “If a 
bad guy has unrestricted physical 
access to your computer, it’s not your 
computer anymore.” That’s why, as 
part of a comprehensive computer 
security plan, your absolute first line 
of defense is to make sure that your 
computer is physically protected. 
Follow these guidelines: 


e Keep any computer 
containing sensitive 
information behind a 
locked door. Cubicles 
make it too easy for 
intruders to attempt a 
break-in. 


e In high-traffic areas, use 
external locks to 
physically bolt a 
computer to a desk. This 
extra level of protection 
won’t stop a determined 
professional thief, but it 
will prevent crimes of 
opportunity. 


e Take extra precautions 
to protect portable 
computers and handheld 
devices, especially when 
they contain sensitive 
information. Consider 
using a radio-controlled 
alarm such as those 
available from TrackIT 
Corporation 
(http://www. trackitcorp. 
com); it sounds an alert 
if you and your notebook 
carrying case are 
unexpectedly separated. 


e At work, make a habit of 
logging out or locking 
the computer every time 
you leave your desk. 
Casual snoops can learn 


a lot just by looking at 
the names of files and 
folders, without even 
touching your keyboard. 
Don’t make their job 
easy. 


Watch out for “shoulder 
surfers” who try to steal 
passwords by watching 
your fingers as you log 
on. Arrange your work 
space so that your 
keyboard is not in plain 
view. 


Use a password- 
protected screen saver. 
Set your screen saver to 
kick in after a short 
period of inactivity—no 
more than 10 minutes— 
and choose the option to 
display a password 
prompt when resuming. 


Convert FAT32 disks to 
NTFS format to prevent 
snoops from booting 
with a floppy disk and 
accessing data files 
without having to log on. 
(For details on making 
this conversion, see 7. 
Use NTFS for All Drives.) 


If your computer 
contains ultrasensitive 
data, consider using the 
encrypting file system 


(for details, read 

Files and Folders"), and 
add a hardware-based 
logon device such as a 
smart card ora 
biometric identification 
system. 


Do some of these precautions sound 
extreme? They’re not. In fact, most of 
this advice is common sense. You 
wouldn’t think of leaving your front 
door unlocked when you go to bed at 
night. Why then would you want to 
leave your personal computer 
unlocked, especially when you know 
that would-be intruders are constantly 
on the prowl, rattling virtual 
doorknobs in search of unsecured 
computers? 


Encrypting data is a superb way to 
lock out thieves, as long as you’re also 
diligent about setting strong 
passwords and logging off when you're 
not using your computer. Just make 
sure to keep a backup copy of the 
encryption key! If anything happens to 
the hard disk containing your Windows 
system files, you must be able to 
replace the encryption key. Without it, 
you're permanently locked out from all 
your encrypted files, even if you’re 
able to restore them from a backup 
copy. Before you even think about 
using the encrypting file system built 
into Windows XP Professional and 


Windows 2000, read Chapter 18, 
“Encrypting Files and Folders.” 


Threat #2: Pilfered Passwords 


On the overwhelming majority of computers and 
secure Web sites, entering a password is the only 
way to establish that you are who you say you 
are. If someone else borrows, steals, or guesses 
your password, that person has complete access 
to all your files and network resources. By 
logging on with your password, a malicious 
intruder can read your e-mail, poke around in 
your sensitive files, access protected network 
resources such as corporate databases, and 
perform all sorts of mischief, leaving you to clean 
up the mess. 


Surprisingly, the newest and most secure version 
of Windows, Windows XP, actually encourages 
sloppy password habits. When you install 
Windows XP (Home Edition or Professional) on a 
computer that’s not connected to a Windows 
domain, the Setup program creates new user 
accounts with blank passwords and full 
administrative rights—hardly a secure 
configuration (although, in the system’s defense, 
its default settings disable any access to shared 
files from across the network until you create a 
password). When you run the Network Setup 
Wizard and enable file sharing, Windows XP 
encourages each user to create a password and 
add a hint, like the one shown in Figure 1-2. The 
hint makes it easy to remember your password 
later; unfortunately, it also makes things easier 
for anyone trying to guess your password. 


“-Figure 1-2. Avoid using hints like the one 
shown here, which weaken the security of 
your logon password. 


Strong, effective passwords are at least eight 
characters long and contain a random mix of 
uppercase and lowercase letters, numbers, and 
punctuation marks. Sad to say, most people do a 
lousy job of picking passwords and personal 
identification numbers, using easy-to-remember 
and easy-to-guess combinations of numbers and 
letters, such as birthdates or the names of 
children or pets. Worse still, most people reuse 
the same password at every opportunity, which 
means that an intruder who steals the password 
for your favorite online bookstore might also be 
able to access your bank account, log on to your 
computer, and read or send messages using your 
e-mail account. 


Using a strong password increases your online 
security dramatically. Figure 1-3 shows Windows 
XP Home Edition running a password-cracking 
utility called Advanced NT Security Explorer, from 
ElcomSoft 
(http://www.elcomsoft.com/antexp.htm!). (For 
more details about how password-cracking 
utilities work, see Recovering_a Lost Password. ) 
On this computer, the account for the user 
George is protected by a simple password: 
ROVER. Cracking that code is child’s play for this 
utility, which took exactly two seconds to try 
every entry in its 100,000-word dictionary and 
successfully unscramble the saved password. 
After George changed the password to a 
randomly selected sequence of eight letters and 
numbers, spi2RuLa, the password-cracking utility 
had to work more than 20,000 times as hard to 
crack the password, spending roughly 12 hours in 
“prute force” mode, crunching through every 
conceivable combination of letters and numbers. 


wal 


Figure 1-3. This password-cracking utility 
was able to guess George’s password in two 
seconds. A longer password made up of 
randomly selected letters and numbers is 
more secure. 


Of course, even the strongest password offers 
scant protection if it’s written on a sticky note 
tacked to the side of a monitor or stuffed in the 
top desk drawer. Enterprising thieves also use 
“social engineering” to trick a gullible computer 
user into giving up passwords to a complete 
stranger over the phone or via e-mail. A con 
artist using social-engineering techniques might 
pretend to be a technical support specialist 
diagnosing trouble with your computer. By 
interspersing details about your company, its 
network, and your applications, the would-be 
thief tries to lull the victim into a false sense of 
security. (“Mr Bott? Yes, this is Carl in the 
network operations center. We've been trying to 
track down a problem on the 16th floor Ethernet 
run and wonder whether you can help us. We 
think there are some problems in the fiber runs 
between your wing and the server room. Do you 
have a minute to help me do some testing so I 
can figure out what’s going on?”) Although the 
technique fails more often than it succeeds, it’s 
still surprisingly effective. Even seasoned 
computer support professionals sometimes fall 
for social-engineering scams, in which an outside 
caller pretends to be a user experiencing 
password problems. (“Can you reset my 
password, please? I’ve forgotten it.”) On 
corporate networks, where individual users have 
access to a broad range of resources, the results 
can be devastating. 


For technical details on how Windows 
Saves passwords and how you can 


increase the security of password- 
protected resources, see Using 
Passwords Effectively. 


Threat #3: Nosy Network Neighbors 


Do you trust the person in the next cubicle? 
Misplaced trust and misconfigured systems can 
lead to security headaches on computer networks 
of any size. Networks promote collaboration by 
allowing users to share files, folders, and other 
resources in real time. Used effectively, networks 
can have a dramatic positive effect on 
productivity. Used carelessly, however, networks 
can contribute to security problems. The most 
common weaknesses occur when users don’t pay 
sufficiently close attention while sharing 
resources and setting up user accounts. 


The three most common security problems on 
networks are the following: 


e Sharing files that should remain 
confidential. Users can 
inadvertently create this problem 
by sharing a folder filled with 
several subfolders, some of which 
contain data files that should 
remain confidential. Simple 
carelessness can also cause data to 
be compromised, as when a user 
copies sensitive files to a removable 
disk or to a local workstation ora 
portable computer that isn’t 
properly secured. Creating policies 
that define what types of local files 
can be shared or copied and 
training users in proper techniques 
for managing confidential data are 
essential steps in avoiding this 
problem. 


e Allowing unrestricted access to 


shared files. Some types of 
information need to be shared with 
a small, tightly restricted group of 
network users. A Microsoft Excel 
workbook containing your 
company’s budget and salary 
details, for instance, might need to 
be shared among a group of senior 
executives. If share permissions are 
too broad, unauthorized users 
might inadvertently be able to 
access these files. This is a 
particular problem on peer-to-peer 
networks running Windows XP, in 
which the default Simple File 
Sharing configuration allows all 
network users to access shared 
resources. 


For more details about 
your alternatives when 
setting up shared access 


to sensitive files, see 
Restricting Network 
Access to Files and 
Folders. 


Allowing users to change files 
without permission. Many 
collaborative environments depend 
on a team of workers being able to 
share information. Sensible 
management policies often dictate 
that only one or two team members 
have responsibility for making 
changes to files. What happens if a 
network share is set up incorrectly, 


so that everyone who has access to 
files in a particular folder also has 
the capability to edit, replace, or 
delete those files? In that scenario, 
a single distracted user can wipe 
out a frightful amount of work by 
accidentally saving a new file using 
the same name as an existing file 
or by deleting a group of files in a 
misguided cleanup effort. Good 
backups can undo some of the 
damage (a topic we cover in depth 
in Chapter 6, “Preventing Data 
Loss“), but configuring the shared 
resources correctly can prevent the 
problem from occurring in the first 
place. 


For extra security, add a server 


If the data stored on your business 
network is truly sensitive, we strongly 
recommend that you augment the 
basic protections afforded by access 
controls in Windows 2000 Professional 
and Windows XP Professional. In this 
type of environment, consider setting 
up at least one server running 
Windows 2000 Server or Windows 
.NET Server and creating a Windows 
domain. When all user data is stored 
on domain servers, a trained 
administrator can manage security 
policies and enforce them across the 
entire network, instead of relying on 
each user to maintain secure data. 
Using network servers also makes it 
easier to ensure that data is backed 
up regularly. Although this book 


doesn’t cover server configuration in 

detail, you can learn more about how 
to work with domains in Workgroups 
vs. Domains. 


Threat #4: Viruses, Worms, and Other 
Hostile Programs 


Mainstream media outlets reserve their most 
breathless headlines for outbreaks of viruses and 
worms, often prompted by press releases from 
companies that sell software intended to fight 
those hostile programs. In recent years, a 
handful of new viruses and worms have caused 
massive amounts of damage to the computers 
they infected and have disrupted the flow of 
information on the Internet. Sadly, Windows 
users who pay attention to the threat of viruses 
only when a new outbreak occurs are most likely 
to become victims of a new attack. 


Understanding how viruses and worms work is 
essential to keeping them out of your computer 
and network. Let’s start with some definitions: 


e A virus is a piece of code that 
replicates by attaching itself to 
another object. A virus doesn’t 
have to be a self-contained 
program; in fact, many outbreaks 
of seemingly new viruses actually 
involve rewritten and repackaged 
versions of older virus code. When 
a virus infects a computer running 
Windows, it can attack the registry, 
replace system files, and take over 
e-mail programs in its attempt to 
replicate itself. The virus payload is 
the destructive portion of the code. 
Depending on the malicious intent 
and skill of the virus writer, the 
virus can destroy or corrupt data 
files, wipe out installed programs, 


or damage the operating system 
itself. 


e Worms are independent programs 
that replicate by copying 
themselves from one computer to 
another, usually over a network or 
through e-mail attachments. Many 
modern worms also contain virus 
code that can damage data or 
consume so many system resources 
that they render the operating 
system unusable. 


Computer viruses date back to the 1980s, when 
they were most commonly transmitted through 
infected floppy disks. In recent years, though, 
virus outbreaks have become faster and more 
destructive, thanks to the ubiquitous nature of 
the Windows platform and popular e-mail 
programs such as Microsoft Outlook and Outlook 
Express, coupled with the soaring popularity of 
the Internet. Virus writers have become more 
sophisticated, too, adding smart setup routines, 
sophisticated encryption, downloadable plug-ins, 
and automatic Web-based updates to their 
dangerous wares. Polymorphic viruses can 
mutate as they infect new host files, making 
discovery and disinfection difficult because no two 
instances of the virus “look” the same to virus 
scanners. A new class of so-called stealth viruses 
can disguise themselves so that installed 
antivirus software can’t detect them. If you know 
where to look in the virus underground, you can 
find point-and-click virus-authoring software, 
which lets even a nonprogrammer build a fully 
functional, destructive virus. 


Many viruses and worms spread by attaching 
themselves to e-mail messages and then 
transmitting themselves to every address they 
can find on the victim’s computer. Some, like the 
Maldal virus shown here, bury the virus code in 
an executable file that masquerades as a 
seemingly innocuous animated greeting card. 


“When the victim opens the attachment, the 
animated file plays in its own window, disguising 
the virus activity. 


“-Other viruses hidden in e-mail attachments 
try to cloak their true identity by appending an 
additional file name extension to the infected 
attachment. This strategy relies on the intended 
victim using the default settings of Windows 
Explorer, which hide extensions for known file 
types. The SirCam virus, shown here, infects a 
randomly selected file and adds an extension that 
makes it executable. In this example, you can 
see both extensions, including the suspicious .pif 
at the end of the file name. With file name 
extensions turned off, the attachment would 
appear to be an innocuous Microsoft Word 
document, and an unwary recipient would be 
more likely to open it. 


“-Although most viruses and worms arrive as e- 
mail attachments, that’s not the only method of 
transmission. Malicious code can also be 
transmitted to unprotected machines via network 
shares, through ActiveX controls and scripts, and 
by HTML-based e-mail messages or Web pages. 
The infamous Code Red and Nimda worms 
represent particularly virulent examples of 
“blended threats” that replicate using multiple 
vectors. 


“Underground” Web sites that host 
pornography, illegal software, and 


other questionable content are 
disproportionately likely to transmit 
viruses and worms. If novice computer 
users have access to your computer, 
make sure they understand the 
dangers of downloading and installing 
software from unknown sources. Up- 
to-date antivirus software is 
imperative on multiuser computers. 


How can you stop viruses and worms before they 
cause damage to your computer or network? 
Here are four general guidelines to follow. (For 
more details, including how to identify a virus or 
worm and how to recover from a virus infection, 
see Chapter 9, “Stopping Viruses, Worms, and 
Trojan Horses.”) 


e Learn how to spot the warning 
signs of viruses. This is especially 
important in the first few hours or 
days after a new virus or worm 
appears on the scene, before 
antivirus software makers have 
developed updates that can detect 
the new strain. Unexpected e-mail 
attachments, even from familiar 
correspondents, should always be 
treated with extreme caution. (For 
a complete list of the telltale clues, 
see Identifying Malicious Software. ) 


When in doubt, delete 
suspicious files 


When a new virus 
outbreak occurs, articles 
in the mainstream press 
often advise users to 
avoid opening 


attachments from 
strangers. That advice is 
dangerously incomplete. 
It’s equally important to 
avoid opening 
attachments from 
friends and colleagues. A 
favorite tactic of virus 
writers who target 
Windows computers is to 
program the virus so 
that it sends copies of 
itself via e-mail to 
everyone in the victim’s 
address book or 
Windows Messenger list. 
The infected attachment 
might be a real file, 
plucked from the 
victim’s My Documents 
folder. If you receive an 
unexpected attachment 
from anyone, especially 
someone you know, 
don’t open it until you 
can verify that it’s safe. 
When in doubt, hit the 
Delete key. 


e Install antivirus software and 
keep it up to date. A good 
antivirus program monitors 
downloads and e-mail attachments 
in real time instead of relying on 
after-the-fact scans to identify 
infected files. Be sure to update the 
virus definitions regularly. Out-of- 
date antivirus software is worse 


than none at all because it 
promotes a false sense of security 
without offering any protection 
against recent strains. 


e Train other network users on 
how to avoid viruses. Make sure 
that people you share a network 
with develop a healthy suspicion of 
file attachments and questionable 
Web pages. Impress on them how 
important it is to have antivirus 
software running at all times. 


e Build additional barriers to 
prevent viruses from attacking 
computers. The best protection 
against viruses and worms is to 
keep them from ever reaching the 
user. Some third-party firewall 
programs offer extra layers of 
protection that block malicious 
code. Recent versions of Outlook 
and Outlook Express also include 
features that can disable potentially 
dangerous attachments. Ona 
corporate network that includes an 
e-mail server, e-mail gateways can 
quarantine dangerous mail before it 
has a chance to reach users. 


Threat #5: Outside Intruders and 
Trojan Horse Takeovers 


If you’ve been to the movies, you’ve seen 
Hollywood’s stereotypical hacker—brilliant, 
antisocial, fueled by pizza and Mountain Dew, and 
so Skilled that he can break into any bank, 
corporate database, or international spy 
headquarters with just a few taps on the 
keyboard. 


In the real world, malicious hackers are far less 
glamorous and, for the most part, far less skilled 
than their counterparts on the silver screen. 
Unfortunately, even a novice hacker can do a 
frightful amount of damage by targeting an 
inadequately protected computer over the 
Internet. 


Some security professionals bristle at 
what they perceive as the misuse of 
the term hacker, especially by the 
mainstream news media. In the 
computer underground, a hacker is 
anyone who spends time poking into 
computers and operating systems, 
testing their limits and discovering 
their vulnerabilities. “White hat” 
hackers who find and fix vulnerabilities 
in operating systems, applications, 
and networks are widely respected for 
their skills. “Black hat” hackers, or 
crackers, are more interested in 
breaking into computers and networks 
without authorization, either for the 
sheer fun of it or to steal valuable 
information, such as credit card 
numbers. In this book, we use the 
more precise terms attacker and 


intruder to refer to anyone who tries 
to access an unauthorized computer 
system from outside. 


Most would-be intruders don’t bother aiming at a 
particular computer or network. Instead, they use 
widely available underground utilities to automate 
the process of breaking and entering. These tools 
scan hundreds or thousands of IP addresses in 
search of specific, known vulnerabilities; they’re 
most effective against always-on Internet 
connections, such as cable modems and DSL 
lines, whose IP addresses remain constant for 
long periods of time. Here are some examples of 
what they’re looking for: 


e Unprotected shared resources. 
In theory, shared resources should 
be accessible only to other users on 
your network. In practice, poorly 
secured shares might be accessed 
from other computers on the same 
network segment (users connected 
to the same dial-up modem or 
cable router, for instance) and in 
some circumstances by any 
computer, anywhere on the 
Internet. A malicious intruder who 
finds an open share that isn’t 
protected by a password can do 
anything with the files and folders 
in that location. More important, 
the intruder can install one of 
several remote access programs 
that provide complete access to the 
shared computer. 


e Open service ports. An intruder 
who finds a server running on your 


computer can probe it for weak 
passwords or known security holes; 
if you haven’t applied software 
patches to fix those vulnerabilities, 
the intruder can exploit the 
weakness to access your computer. 
Web servers, FTP servers, remote 
access programs like pcAnywhere, 
and messaging clients such as ICQ 
are especially susceptible to this 
sort of attack. For information 
about identifying open service 
ports, see Determining Which Ports 
Are Active. 


e Trojan horses. Also known as 
“back door” programs, these pieces 
of hostile software act as stealth 
servers that allow intruders to take 
control of a remote computer 
without the owner’s knowledge. 
Like the Greek myth after which 
they’re named, Trojan horse 
programs typically masquerade as 
benign programs and rely on 
gullible users to install them. 
Computers that have been taken 
over by a Trojan horse program are 
sometimes referred to as zombies. 
As we'll see shortly, armies of these 
zombies can be used to launch 
crippling attacks against Web sites. 


To prevent intruders from breaking into your 
computer from the Internet, follow these three 
general guidelines: 


e Shut down services you're not 
using. If you once installed a 


personal Web server to experiment 
with Web page design but no longer 
use it, make sure it’s not still 
running on your computer, inviting 
intruders to take a crack at it. (For 
details about turning off unused 
services, see Shutting Down 
Unneeded Services.) 


Use firewall software to block 
access to your computer and to 
monitor intrusion attempts. 
Windows XP includes a serviceable 
Internet Connection Firewall that is 
configured automatically when you 
run the Network Setup Wizard. As 
Figure 1-4 shows, you can 
configure the firewall to allow 
certain types of traffic through, 
while blocking all others. Third- 
party firewall software offers 
additional capabilities, including the 
capability to block unwanted 
outbound connections and to 
restrict Internet access on a per- 
application basis. 


Use hardware barriers for an 
extra layer of protection on 
networks. A simple router or 
residential gateway provides basic 
Network Address Translation, which 
shields the IP addresses of 
computers on the network and 
rebuffs many attempts at intrusion. 
More sophisticated (and more 
expensive) firewall devices add the 
capability to block specific ports 


and protocols that outside attackers 
might be able to exploit. 


“-Figure 1-4. The Internet 
Connection Firewall in Windows 
XP provides basic but effective 
protection from intruders. 


For more details about blocking 


intruders, see Blocking Attacks with a 
Firewall. 


Threat #6: Invasions of Privacy 


When a hacker, cracker, or attacker connects to 
your computer, the threat to your security is 
immediate and personal. But threats to your 
online privacy are more subtle, and different 
users have different reactions to features in 
Windows and Internet Explorer that deliberately 
or unintentionally reveal personal information 
about you. 


Internet Explorer, for example, reveals extensive 
details about your browser—which version you’re 
using, which optional components you’ve 
installed, and which site contained the link that 
brought you to the current page. It also betrays a 
few details that might be able to help the owner 
of a Web site pin down your location: your IP 
address and time zone, for instance. 


Those details are relatively minor and are 
primarily intended to improve communication 
between your Web browser and the sites you 
visit. But another feature that’s common to all 
modern browsers is considerably more 
controversial. Cookies are tiny data files that 
contain persistent bits of information about you 
and your interaction with a particular Web site. 
They're also a source of raging controversy 
among people who are passionate about privacy. 
In Chapter 13, “Protecting_Your Privacy,” we 
explain how cookies work and how you can 
control them. For the purposes of this discussion, 
you should know these four facts: 


e Cookies can contain personal 
information only if you provide it. 
Most cookies simply create a serial 
number that allows the Web site to 


recognize that you’re a repeat 
visitor. If you enter personal details 
—by entering an online contest or 
filling in a registration form, for 
instance—the cookie can keep track 
of those details and match them 
with your browsing history from 
previous visits to the same site. 
Cookies are especially helpful for 
online shopping applications and at 
sites where you need to establish 
your identity for access. 


Internet Explorer 6 (an upgrade for 
Windows 2000 users, a standard 
part of Windows XP) includes a 
Privacy dialog box that lets you 
control cookies en masse or 
individually. Figure 1-5 shows an 
expanded version of the dialog box 
that appears when you configure 
Internet Explorer to prompt you 
before accepting a cookie. 


“-Figure 1-5. As this example 
illustrates, most cookies consist 
of identifying numbers, not 
personal details. 


The most troubling threats to 
privacy come from third-party 
cookies, which allow advertisers 
and marketing companies to track 
your movements between different 
sites that include elements (such as 
banner ads) from that third party’s 
site. Internet Explorer 6 allows you 
to handle third-party cookies using 
different rules than those that apply 
to cookies associated directly with a 


site. A variety of add-on utilities for 
Internet Explorer and other 
browsers let you exercise even 
more precise control over which 
sites are allowed to set cookies on 
your computer. 


e An emerging standard called the 
Platform for Privacy Preferences 
(P3P) allows Web sites to define the 
privacy standards they follow and 
publish that policy in a compact 
form as part of their Web site. 
Internet Explorer 6 can read this 
compact privacy policy and 
compare its settings to the 
preferences you entered. In theory, 
at least, this feature should let you 
automatically handle cookies at 
some sites. 


Your browser has an impact on your privacy in 
one other way as well: The browser’s history 
keeps a record of every site you visit—going 
back, by default, almost three weeks. Anyone 
who has physical access to your computer can 
examine the list of sites you've visited and learn 
a lot about you—perhaps more than you'd like 
them to know. Sweeping away this evidence of 
where you've been in cyberspace is more difficult 
than it appears, because traces of your 
movements are scattered all over your hard 
drive. We'll show you how to clean up all those 
scattered bits and pieces and also explain why 
even reformatting your hard disk might not be 
enough to eliminate all evidence of where you've 
been on the Web. For details, see Covering_Your 
Tracks. 


Threat #7: E-Mail Threats 


You're exposed to a myriad of threats every time 
you open your e-mail client. We’ve already 
discussed e-mail as a delivery mechanism for 
viruses, but other security issues are equally 
important, if not as obvious. 


If you use Internet-standard e-mail servers, 
every message you send travels in plain text on 
an unpredictable path that can pass through 
dozens of intermediate computers or routers 
before it reaches its destination. At any step 
along the way, your message can be intercepted 
and read; it can also be altered. In fact, it’s easy 
for a moderately tech-savvy crook to forge your 
name and address on a message so that it 
appears to have come from you. Because of that 
fundamental insecurity, you should never send 
confidential information such as credit card 
details or your Social Security number in a 
normal e-mail message; likewise, you should 
never rely on ordinary e-mail messages for 
important business transactions. 


However, if you’re willing to endure some hassles, 
you can protect a message from prying eyes by 
using strong encryption and digital signatures so 
that the recipient can be certain the message was 
sent by you and hasn’t been tampered with. Full 
details are available in Chapter 10, “Keeping Your 
E-Mail Secure.” 


And then there’s the dark side of e-mail— 
unsolicited commercial e-mail, more popularly 
known as spam. For most of us, spam is a 
nuisance rather than a serious threat to our 
computer’s security. But spam can carry viruses 
and other hostile software. Unwanted ads for 


Web-based casinos and pornography can cause 
embarrassment or threaten your job security if 
they land in your work mailbox. And some of the 
tactics people use to fight back against spam 
actually make the problem worse, as we explain 
in Chapter 11, “Blocking Spam.” We can’t promise 
to eliminate the problem completely, but we can 
offer a series of steps that can dramatically 
reduce the accumulation of e-mail in your inbox. 


How Can You Protect Yourself? 


Now that you have a basic overview of the 
security threats that can affect you, what should 
you do next? The most important step you can 
take is to put together a comprehensive security 
plan. It should incorporate the following 
elements: 


e Stay up to date with patches for 
Windows and the applications you 
use regularly. Configure Windows 
XP and Windows 2000 to download 
critical updates automatically; you 
can choose when to install those 
updates. Visit Windows Update at 
least once a month to check for 
other important updates that might 
apply to your computer. Patching 
vulnerabilities as soon as they’re 
discovered is a crucial first step in 
protecting your data and your 
network. (See Chapter 7, “Keeping 
Your System Secure,” for pointers 
to Windows Update and other 
sources of patches and updated 
system files. ) 


Be sure that your computer is 
physically secure. 


Use strong passwords that are 
difficult or impossible to guess. 
Don’t use the same password for 
multiple accounts, and be sure to 
change your passwords every few 
months. Don’t use automatic logons 
for your main Windows account. 


Get help remembering passwords 


If your memory isn’t up to the 
challenge of remembering dozens of 
randomly selected passwords, don’t 
worry—help is available. You can 
download any of several Windows 


utilities that can help you securely 
store your password list in encrypted 
form; some of these utilities even 
include password generators that help 
you create truly random, hard-to- 
break passwords. For some 
suggestions, see Managing Passwords. 


e Install antivirus software and 
update it regularly. 


e Use firewall software and hardware 
to protect yourself from outside 
intruders. 


e Back up critical data regularly, and 
store the backups in a safe location, 
away from your computer. 


Above all, don’t think of security as a chore ora 
one-time task. Keeping your data, your computer, 
and your network secure is an ongoing process. 
The day you let your guard down is the day 
you're most likely to become a victim. 


In Chapter 2, we'll walk you through important 
security-related features in Windows XP and 
Windows 2000. 


Chapter 2 


Windows Security Tools and 
Techniques 


Who do you trust? 


That’s not a rhetorical question. Trust is the 
fundamental principle that underlies all security 
features in Microsoft Windows. As the 
administrator of a computer or the owner of data, 
you have the power to decide who can be trusted 
with access to your computer and its files and 
who should be locked out. Windows XP and 
Windows 2000 provide an assortment of system 
components and tools that can help you reliably 
identify anyone trying to access protected 
resources. In this chapter, we introduce each of 
the pieces that form this security infrastructure. 


We start with the most basic of building blocks, 
the user account. By setting up a password- 
protected account for each individual who needs 
to access your computer, you can share files, 
folders, printers, and other resources with 
coworkers and family members. More important, 
you can lock out unknown users and restrict who 
has access to files that are private or confidential. 
We also explain how Windows allows you to 
create security groups, which ease the 
administrative burden of managing shared 
resources on business networks. Although the 
concept of user accounts sounds simple enough, 
its implementation in Windows is complex. The 
more you understand about how Windows stores 
and manages the details of user accounts and 
security groups, the better prepared you are to 
defend your computer and network from 
unauthorized access. 


Next we introduce a set of system components 
that provide logon and authentication services. 
Any user who sits down in front of a computer 
running Windows XP or Windows 2000 must 
prove his or her identity by providing the user 
name and password for a valid account. It’s a 
rather simple test, really, but we show you how 
the process works and, more important, how you 
can customize it to make it as easy as possible 
for legitimate users to log on while still barring 
users who shouldn't have access. 


After a user successfully logs on, Windows uses 
the security information in his or her account to 
determine which resources are available to the 
user and which are forbidden. You can apply 
permissions to files, folders, and network shares; 
and, for extra security, you can encrypt data files 
so that they are literally unreadable by anyone 
without the correct credentials, even if he or she 
is able to bypass your security settings and 
access the files. As we explain in this chapter, 
however, your options vary greatly, depending on 
your version of Windows, the file system used on 
a particular disk, and the choices you (or the 
computer manufacturer) made during Windows 
setup. We'll explain how each of these options 
work. 


Last, but certainly not least, this chapter 
concludes with a checklist of security tweaks and 
tune-ups that every Windows user should 
implement immediately. It also includes a handful 
of advanced security tweaks that aren’t for 
everyone but might be appropriate for you. 


What Are User Accounts? 


In Windows XP and Windows 2000, access control (the method for 
controlling access to specific files, folders, computers, and other 
resources) depends on the system’s ability to uniquely identify 
each user. A user account provides that unique identity. Each 
person who uses a computer should be given a user account. (An 
exception to this rule is if your computer is used by many people 
who need identical privileges—for example, if it is a kiosk 
computer with public access or a business computer used by 
many employees with the same job function. For computers like 
these, you could instead create a single user account—usually 
with very limited privileges—that’s shared by all such users.) 


For information about applying access control to 
protect local computer resources, see Chapter 5, 
“Securing_a Shared Computer.” We discuss access 
control for network resources in Chapter 14, “Network 
Security 101.” 


Internally, Windows stores information about each user account in 
a protected database called the Security Accounts Manager 
(SAM). Although you’re most likely to identify an account by its 
user name, Windows uses a variable-length value called a security 
identifier (SID) to track each account and its associated rights and 
permissions. When you create a user account, Windows assigns a 
unique SID to that account. In both Windows XP and Windows 
2000, all SIDs begin with S-1. The remainder of the SID consists 
of groups of numbers that uniquely identify each account. 


Most of the time, Windows represents accounts by their friendly 
names—Ed, Carl, or Administrator, for instance—and keeps track 
of the SID for each account in the background. However, if you 
look in the Windows registry, you can see the SIDs for all 
accounts on the current computer. Figure 2-1 shows the 
HKEY_USERS key for an installation of Windows XP Home Edition. 
The three short values are well-known SIDs that identify accounts 
common to all Windows installations; S-1-5-18 is the System 
account, for instance. The two much longer SIDs represent user 
accounts on this computer. 


“-Figure 2-1. Windows XP and Windows 2000 use security 
identifiers—the variable-length values shown under 
HKEY_USERS—to identify user accounts and their associated 
rights and permissions. 


Each SID is used only once. The SID created along with a new 
user account remains uniquely associated with that account until 
the account is deleted. The SID is never used again—for that user 
or any other. After deleting an account, you cannot re-create that 


account and recover its permissions and other settings; if you 
create a new account with the same user name and password, 
Windows assigns a new SID to that account. 


Find all SIDs associated with your user account 


Want to see all the SIDs associated with your account? 
The command-line Whoami utility, included with 
Windows XP Professional and Home Edition, lets you 
examine this information in detail. To use it, you must 
install the Windows XP Support tools. Insert the 
Windows XP CD, browse to the Support\Tools folder, 
and run Setup. After installing the Support tools, open 
a Command Prompt window (Cmd.exe) and enter the 
command whoami /all /sid. The output lists the 
name and SID of the currently logged-on user as well 
as the names and SIDs of all security groups to which 
that account belongs. 


Fortunately, users are never required to know their SID. Users log 
on to a computer running Windows by providing their user name 
and (if one has been assigned) the password for the account. 


Decode well-known SIDs 


In all, a Windows installation may include any of 59 
well-known SIDs, which remain constant on different 
computers. For a detailed listing of these SIDs, their 
friendly names, and their uses, see 


http://www. microsoft.com/technet/prodtechnol/winxpp 
ro/reskit/prnc_sid_cids.asp. 


User Accounts in Earlier Versions of Windows 


You might be familiar with user profiles in Windows 
95/98/Me. This feature, accessed through the Users 
icon in Control Panel, provides a way to create a 
unique operating environment for each user. Each user 
gets to have a unique Start menu, maintain a separate 
My Documents folder, maintain a cache of passwords 
to network resources, and choose his or her desktop 
background, colors, and icons. 


In these earlier versions of Windows, the ability to 
maintain separate profiles—which is also a benefit of 
user accounts in Windows XP and Windows 2000—is a 
feature of convenience, not security. Although you can 
set up Windows 95/98/Me so that Windows requests a 
password at startup, you can circumvent the request 
simply by clicking Cancel or pressing Esc when you see 
the logon dialog box. Using this option logs you on 


without loading the personal settings in a user profile, 
but still gives you full access to all information in all 
user profiles. The password cache files for other users 
remain locked, but you can easily crack these files 
using widely available utility programs. 


By contrast, Windows XP and Windows 2000 require 
each user to log on with a user account. Don’t confuse 
this crucial security feature with user profiles in earlier 
versions of Windows. Although the features are 
superficially similar, the difference in security is like 
night and day. 


Local vs. Domain Accounts 


In this chapter, our focus is on /oca/ accounts—user accounts and 
security groups that are stored in your computer’s SAM. A stand- 
alone computer or a computer in a workgroup uses only local 
accounts. Each computer in the workgroup maintains its own SAM 
with local accounts for that computer only. Local accounts allow 
users to log on only to the computer on which the accounts are 
stored and allow access only to resources on that computer. Other 
users on your network can access resources on your computer 
only if they authenticate themselves using a local account. (In 
many cases, the Guest account is used for this purpose. For more 
information about sharing resources over a network in a 
workgroup configuration, see Chapter 14, “Network Security 
101.”) 


By contrast, domain accounts are stored on a central computer 
called a domain controller. If your computer is joined to a domain 
—a network that has at least one computer running Windows .NET 
Server or Windows 2000 Server and serving as a domain 
controller—you ordinarily log on using a domain account. 
(Windows NT Server can also act as a domain controller, but it 
does not use Active Directory or the Kerberos V5 authentication 
protocol, two features that define most current domains.) In the 
Log On To box in the Log On To Windows dialog box, you specify 
either your computer name (to log on using a local account) or 
the name of a domain (to log on using a domain account). 


With a domain account, you can log on to any computer in the 
domain (subject to your privileges set at the domain level and on 
individual computers), and you can gain access to permitted 
resources anywhere on the network. The logon dialog box shown 
here displays the extra information used to log on to a domain. 
Notice that the user name is followed by an @ sign and the 
domain name. 


#4 Users running Windows XP Home Edition can connect 
to shared resources on a Windows domain by entering 
an authorized user name and password, but they 
cannot join the domain, save a roaming user profile on 
the domain, or save the user name and password for a 


domain account locally. 


Domains are unnecessary for small networks, but they add 
security and make administration easier as networks grow. Ona 
four-computer network, for instance, where each computer has a 
single user, it’s not particularly difficult to create matching user 
accounts on each computer and coordinate file sharing. On a 
network with 20 or 200 or 2,000 computers, however, the task of 
synchronizing identical sets of user accounts on each of those 


computers would be overwhelming. Adding a domain controller 
allows a network administrator to centralize security settings. 


Domain user accounts, each with its own unique SID, are stored 
in the domain’s directory, which is managed by the domain 
controller. Every member of the domain can connect to this 
database and use its list of accounts for security purposes. Thus, 
an individual computer user can grant access to a shared resource 
using the name of a domain security group. When the network 
administrator adds a new user to the network and assigns that 
user to the group in question, the new user automatically has 
access to the shared resource without requiring the local 
computer user to take any action. 


Even in a domain environment, the local computer’s SAM plays a 
role. Accessing resources on the local computer requires a local 
user account or membership in a local group. For that reason, 
when you join your computer to a domain, Windows adds the 
Domain Admins group (a domain-based security group for 
administrators) to the local Administrators group and adds the 
Domain Users group to the local Users group. 


Domain-based accounts and groups are also known as global 
accounts and global groups. 


For more details about using Windows XP and Windows 
2000 as part of a domain, see Workgroups vs. 
Domains. 


Built-In User Accounts 


Every installation of Windows 2000 or Windows XP has at least 
two built-in user accounts that are preconfigured with certain 
privileges and restrictions: 


e Administrator. This account has full rights over the 
entire computer. As a permanent member of the 
Administrators group, this account has unrestricted 
access to all files and registry keys on the computer. 
The Administrator account can create other user 
accounts. 


Bring back the Administrator account 


In Windows XP, the Administrator 
account normally doesn’t appear as a 
logon choice on the Welcome screen. (It 
appears only if no other user account 
exists that is a member of the 
Administrators, Guests, Power Users, or 
Users groups or when you boot into Safe 
Mode.) Rest assured: The account exists. 
If you want to log on using the 
Administrator account (or any other 
account that doesn’t appear on the 
Welcome screen), press Ctrl+Alt+Delete 
two times to display the Log On To 
Windows dialog box, in which you can 
enter any user name. 


e Guest. The Guest account is intended for occasional 
or one-time users, and its default privileges are 
quite limited. A user who logs on using this account 
can run programs and save documents on the local 
computer only. In Windows XP, the Guest account 
can also provide access to shared network resources 
when the Simple File Sharing option is enabled. 


Computers running Windows XP have two or more additional built- 
in accounts. Unlike Administrator and Guest, these built-in 
accounts can be moved to a different security group or deleted by 
an administrator. These additional accounts include the following: 


e HelpAssistant. The HelpAssistant account, which is 
used for Remote Assistance sessions, is disabled by 
default (and protected by a strong password). The 
HelpAssistant account on the computer belonging to 
the novice is used for logon by the remote expert. 


e SUPPORT_xxxxxxxx. Windows XP can include one 
or more accounts designed for use by vendors such 
as Microsoft and your computer’s manufacturer for 
online support and service. (xxxxxxxx represents a 
vendor-specific number. ) 


If you upgrade to Windows XP Home Edition from Windows 98 or 
Windows Me, the Setup program might also create an account 
called Owner, which is a member of the Administrators group. 


Windows also includes one or more service accounts—special- 
purpose user accounts that the operating system uses to run 
services. (Most Windows-based programs run using the security 
settings of the user who started the application. Services must 
run in the context of a particular account, too, but because 
services can run before a user logs on and can continue running 
after all users have logged off, they need to use service accounts. 
The use of service accounts provides control—they have limited 
privileges—and accountability.) In Windows 2000, most services 
run using Local System privileges; others run as a particular user 
or have their own special-purpose user account. Windows XP adds 
two additional service accounts, with varying privileges. Services 
can run as LocalService only on the local computer or as 
NetworkService only on the network. 


Security Groups 


Security groups, which represent collections of user accounts, are 
another type of security principal. (A security principal is any 
entity that can be authenticated. In Windows XP or Windows 
2000, a user, group, computer, or service can be a security 
principal.) Security groups provide a way to organize user 
accounts into groups of users with similar security needs. For 
example, you might want to create a security group at home for 
the kids in your family; in the office, you might create a group 
that includes all the people in the accounting department. You can 
then assign security permissions to the group rather than to 
individual users. A user account can belong to one group, more 
than one group, or no group at all. 


Groups are a valuable tool for administering security. They 
simplify the job of ensuring that all user accounts with common 
access needs have an identical set of privileges. Although you can 
grant privileges to each user account individually, doing so is 
tedious and prone to error—and usually considered poor practice. 
You're better off assigning permissions and rights to groups and 
then adding user accounts to the group with the appropriate 
privileges. 


Security Groups and Account Types 


You'll encounter the term security group in Windows 
NT and Windows 2000, but it’s less apparent in 
Windows XP. Although the function and use of security 
groups remain largely the same, in Windows XP you’re 
more likely to see the term account type, particularly 
when you run the User Accounts tool from Control 
Panel. Account type is a simplified way of describing 
membership in a security group. Although you can 
have any number of security groups—indeed, a default 
installation of Windows XP Professional has nine built- 
in groups and you can create more—Windows XP 
categorizes each user account as one of only four 
account types: 


e Computer administrator. Members of 
the Administrators group are classified as 
computer administrator accounts. 


e Limited. Members of the Users group 
are classified as limited accounts. 


e Guest. Members of the Guests group are 
shown as guest accounts. 


e Unknown. A user account that is not a 
member of the Administrators, Users, or 
Guests group appears (Somewhat 
alarmingly) as an Unknown account type. 
Because accounts you create through 
User Accounts in Control Panel are 
assigned to the Administrators group or 
the Users group, you'll see the Unknown 
account type only if you upgraded from 
an earlier version of Windows (for 
example, new users in Windows 2000 are 
assigned by default to the Power Users 
group) or if you use the Windows 2000- 
style User Accounts application, the Local 
Users And Groups console, or the Net 
Localgroup command to manage group 
membership. 


There’s nothing wrong with “unknown” accounts, and if 
you need to use other security groups to classify the 
user accounts on your computer, you should do so. In 
User Accounts, all the usual account-management 
tasks are available for accounts of Unknown type, but 
if you want to view or change group membership, 
you'll need to use one of the other account- 
management tools: Local Users And Groups, the 
Windows 2000-style Users Accounts, or the Net 
Localgroup command. We describe all three of these 
tools in detail in “Managing User Accounts for 
Security.” 


Built-In Security Groups 


Windows includes several built-in security groups, each with a 
predefined set of rights, permissions, and restrictions. Table 2-1 
provides a brief description of the groups and specifies which ones 
are included in each version of Windows. 


Table 2-1. Built-In Security Groups in Windows 


Windows Windows ,,.. 
Group XP XP Home eS Description 


Professional Edition BUG 


Windows Windows Windows 
Group XP XP Home Description 


Professional Edition =e 


Administrators Yes Yes Yes The most 
powerful 
group, with 
full control 
over the 
system. 


Power Users Yes Yes Includes 
many, but not 
all, privileges 
of the 
Administrators 
group. 


Users Yes Yes Yes Limited 
privileges for 
users who 
don’t need to 
administer the 
system. 


Guests Yes Yes Yes Provides 
limited access 
for occasional 
users and 
guests. 


Backup Yes Yes Provides the 

Operators privileges 
needed 
restore folders 
and files, 
including ones 
that members 
aren't 
otherwise 
permitted to 
access. 


Windows Windows Windows 
Group XP XP Home Description 


Professional Edition =e 


Replicator Yes Yes Members can 
manage file 
replication, a 
feature of 
domain-based 
networks. 


Network Yes Members can 

Configuration set up and 

Operators configure 
network 
components. 
(For details, 
see Microsoft 
Knowledge 
Base article 
Q297938.) 


Remote Yes Provides 

Desktop Users access toa 
computer via 
Remote 
Desktop 
Connection. 


HelpServices Yes Yes Allows 

Group technical 
support 
personnel to 
connect to 
your 
computer. 


Roles of Security Group Members 


Members of the Administrators group have total control of the 
computer. By default, administrators have full, unfettered access 
to all files and to all keys in the registry. And administrators can 
grant to themselves any right or permission they do not already 
have. Administrators’ privileges include the ability to 


e Create, change, and delete user accounts and 
security groups 


e Install programs 

e Share folders 

e Set permissions 

e Access all files 

e Take ownership of files 


e Grant rights to other user accounts and security 
groups as well as to themselves 


e Install or remove hardware devices 


e Log on in Safe Mode 


By default, the Administrators group includes all local user 
accounts that you create during setup. If you upgrade to Windows 
XP from Windows NT or Windows 2000, the Administrators group 
retains all its members from your previous operating system. If 
your computer is joined to a domain, the Domain Admins group is 
a member of the local Administrators group. 


Members of the Power Users group hold most of the same 
privileges as users in the Administrators group. Power users 
cannot take ownership of files, back up or restore files, load or 
unload device drivers, or manage the security and auditing logs. 
Unlike ordinary users, however, Power users can share folders; 
create, manage, delete, and share local printers; and create local 
users and groups. 


Members of the Users group should not be able to inflict damage 
on the operating system or installed programs. By default, 
members of the Users group are not allowed to do the following: 


e Modify machine-wide registry settings—those that 
affect all users (for example, anything in the 
HKEY_ LOCAL MACHINE hive). 


e Modify operating system files. 


e Modify files of programs installed by an 
administrator for all users. 


e Install programs that others can use or run 
programs that other members of the Users group 
have installed. This important restriction limits the 
effect of a Trojan horse, which can be run only when 
started by the user who (inadvertently) installed it. 


Use administrator accounts sparingly 


Microsoft’s security experts routinely recommend that 
anyone responsible for a computer running Windows 


avoid logging on for everyday use with an account that 
belongs to the Administrators group. Instead, they 
suggest using an account with fewer system privileges 
for everyday activities such as running applications and 
browsing the Web, and logging on as an administrator 
only on those infrequent occasions when you need to 
perform administrative tasks. In theory, at least, this 
practice helps you avoid the risk that you'll damage the 
system configuration or allow a virus or Trojan horse to 
infect it. In Windows 2000, you can easily assign your 
everyday account to the Power Users group without 
encountering many inconveniences in normal use. By 
contrast, restricting yourself to a limited account in 
Windows XP can be a frustrating experience because 
its set of built-in privileges interferes with many 
programs that weren’t specifically written for Windows 
XP. Still, if you can work around the frustrations, you 
can significantly increase your security with this simple 
safeguard. 


In addition to the groups just discussed, Windows automatically 
maintains a number of built-in security principals that are not 
shown in the Local Users And Groups list and whose membership 
cannot be managed by an administrator. Some of these groups 
exist for obvious special purposes. For instance, anyone who 
connects to a computer over a dial-up connection is automatically 
added to the Dialup group and is subject to any restrictions 
assigned to that group. Two built-in groups deserve special 
mention: 


e Everyone. This group includes all users who access 
the computer, including users in the Guests group. 
In Windows 2000, but not in Windows XP, this group 
also includes members of the Anonymous Logon 
group. 


e Authenticated Users. This group includes any user 
who logs on with an account that is authenticated 
locally. This group does not include guest accounts 
or members of the Anonymous Logon group. 


With the exception of the Everyone group, built-in groups are not 
routinely used for assigning file access. Instead, their purpose is 
to control specific user rights, such as the right to access a 
computer over the Internet. An individual’s right to access shared 
folders, however, will be controlled by a different set of file 
permissions. 


Controlling the Logon and 
Authentication Process 


The purpose of logging on to Windows—providing 
a user name and password—is to allow Windows 
to authenticate you. In theory, the process of 
logon and authentication verifies that you are 
who you claim to be (because, presumably, only 
the owner of a user account knows its user name 
and its password). On the surface, the process is 
quite simple: Depending on how your computer is 
configured, you press Ctrl+Alt+Del to display the 
Log On To Windows dialog box, or you click your 
user name on the Welcome screen; you enter 
your password (your user name is already 
entered) and click OK; and a few moments later 
your desktop appears. 


Under the hood, a lot is going on to allow this 
seemingly simple task to be performed as 
securely as possible—all under the control of the 
Local Security Authority (LSA). This process is 
explained in great detail in Microsoft Windows XP 
Professional Resource Kit Documentation 
(Microsoft Press, 2001). In this chapter, we 
concentrate on the type of logon used on stand- 
alone computers and on computers that are not 
joined to a Windows 2000 Server or Windows 
.NET Server domain: an interactive logon using 
NTLM authentication. 


An interactive logon is one of four types of logon 
processes handled by Windows XP and Windows 
2000. It’s the process of logging on to a local 
computer to which you have direct physical 
access or to which you connect via Remote 
Desktop Connection or Terminal Services. The 
other logon types are network, which is used for 


accessing another computer on your network; 
service, which is used by services to log on using 
the LocalSystem account or the credentials of a 
user account, depending on how the service is 
configured; and batch, which is for applications 
that run as batch jobs (such as a program that 
updates a corporate database server overnight) 
and is almost never used in small networks. 


During the authentication process, the computer 
that’s asking for permission to access a resource 
must exchange information with the computer 
that manages security for that resource. From a 
security standpoint, it is almost never acceptable 
to send a user name and password over any 
network in unencrypted form (referred to as plain 
text or clear text). In Windows XP and Windows 
2000, this communication is encrypted using one 
of two authentication protocols: Kerberos V5 or 
NTLM. Kerberos is the default authentication 
protocol on computers running Windows XP and 
Windows 2000; however, these computers fall 
back to NTLM authentication when they are not 
joined to a Windows 2000 Server or Windows 
.NET Server domain—in other words, on stand- 
alone computers and on workgroups of any size 
that consist of a mix of computers running 
Windows. 


The Kerberos protocol uses extremely 
sophisticated encryption to prevent unauthorized 
intruders from intercepting traffic on the network 
and breaking a password. By contrast, the NTLM 
protocol uses a challenge/response 
authentication mechanism: The computer 
managing security for the resource issues an 
encrypted challenge to the computer that’s 
requesting access, which in turn must provide the 


correct encrypted response, using an encryption 
key based on the password for that user account. 


NTLM authentication in Windows XP and Windows 
2000 supports three NTLM variants: 


e LAN Manager (LM). This is the 
least secure authentication method 
in Windows XP. It’s used only when 
you connect to shared folders on 
computers running Windows for 
Workgroups, Windows 95/98, or 
Windows Me. 


e NTLM version 1. More secure than 
LM, this variant is needed only 
when you connect to servers ina 
Windows NT domain in which a 
domain controller is running 
Windows NT 4 Service Pack 3 or 
earlier. 


e NTLM version 2. This is the most 
secure form of challenge/response 
authentication. It is the one used to 
connect to other computers running 
Windows XP or Windows 2000 or to 
servers in a domain where all 
controllers are running Windows NT 
4 Service Pack 4 or later. 


Shut down LM to tighten network 
security 


If all the computers on your network 
run Windows XP or Windows 2000, 
you can disable the weaker 
authentication variants, thereby 
closing a couple of additional avenues 
that attackers might use. To disable 


these variants, start Local Security 
Settings (type secpol.msc at a 
command prompt), and open Security 
Settings\Local Policies\Security 
Options. In the details pane, double- 
click Network Security: LAN Manager 
Authentication Level (in Windows XP) 
or LAN Manager Authentication Level 
(Windows 2000). In the list, select 
Send NTLMv2 Response Only\Refuse 
LM & NTLM. This helps to stymie 
password-cracking tools such as LC3, 
which captures password-bearing 
packets from network traffic. Note, 
however, that taking this step will 
effectively break communications 
between your computer and those 
running earlier versions of Windows. 


How Interactive Logons Work 


In an interactive logon, a complex sequence of 
events occurs: 


1. As the last step of the boot process, 
Winlogon.exe starts. 


2. Winlogon calls the Microsoft 
Graphical Identification and 
Authentication dynamic-link library 
(Msgina.dll), which obtains your 
user name and password using one 
of the following two techniques: 


e If you’re using the 
Welcome screen in 
Windows XP (also 
known as the secure 
desktop), a list of 
available user 
accounts appears. 
Click a user name to 
display an input 
dialog box and enter 
your password. 


e On a computer 
running Windows 
2000 (or Windows XP 
with the classic logon 
option), press 
Ctrl+Alt+Delete to 
display the Log On To 
Windows dialog box 
and enter your user 
name and password. 


3. Winlogon passes the user name and 
password to the LSA, which then 
determines whether the logon is to 
be authenticated on the local 
computer or over the network. 
(This depends on the choice you 
make in the Log On To box.) 


4. For local logons, the LSA consults 
the SAM, a protected database that 
manages user and group account 
information. 


5. If the user name and password are 
valid, the SAM returns to the LSA 
the user’s SID and the SIDs for all 
groups to which the user belongs. 


6. The LSA uses this information to 
create an access token, an 
identifier that accompanies the user 
throughout the session. An access 
token is a sort of “badge” that the 
LSA flashes on behalf of the user 
whenever the user requests access 
to a protected resource. 


7. Winlogon starts the Windows shell 
with the user’s token attached. 


A secure logon process—one that prevents 
unauthorized users with physical access to your 
computer from logging on—requires disabling 
some of the convenience features available in 
Windows. Specifically, you might want to consider 
eliminating the following convenience features, 
each of which represents a potential security 
vulnerability; you'll find step-by-step instructions 
in the checklist at the end of this chapter: 


Replace the Welcome screen with the classic 
logon dialog box. Available only in Windows XP 
and only when the computer is not joined to a 
domain, the Welcome screen, shown in Figure 2- 
2, presents a friendly face and lets you log on 
with a simple click (and entry of a password, if 
your account requires one). The Welcome screen 
exposes the user names of all users to anyone 
who walks by. In addition, password hints for all 
users are available with a couple of clicks. 
Knowing the user name and a password hint, an 
attacker is well on the way to an authenticated 
logon. 


“-Figure 2-2. The Welcome screen in 
Windows XP offers too much information to 
passersby. 


Force Windows to display a secure logon 
screen. The Welcome To Windows dialog box, 
shown in Figure 2-3, asks you to press 
Ctri+Alt+ Delete, Known as the secure attention 
sequence. Although this extra keystroke might 
seem inconvenient, it’s your guarantee that 
Winlogon is calling Msgina.dll to request your 
user name and password. Only Windows 2000 or 
Windows XP can respond to this reserved key 
combination properly; the Ctri+Alt+Delete 
sequence will cause a system reboot or display a 
Task Manager dialog box if a stealthily installed 
password-stealing program is displaying its own 
counterfeit version of the password-request 
screen in an effort to collect your password and 
send it off to an attacker. 


“-Figure 2-3. Displaying this screen ensures 
that Windows—not a Trojan horse—is 
capturing your logon information. 


Disable automatic logons. Under Windows XP 
and Windows 2000, your computer can be 


configured to bypass the Log On To Windows 
dialog box completely. In this configuration, 
Windows automatically enters a default user 
name and password whenever your computer 
starts up. This means that anyone who has 
physical access to your computer can log on by 
flipping the power switch—even if your computer 
is currently turned on and you're logged off. 
(Think autologon is safe on a home computer? 
Think again. We advise against it because of the 
risk that a thief might steal the computer and 
gain access to sensitive information just by 
turning it on.) As Figure 2-4 shows, you can 
configure this option to use any account and 
password. 


“-Figure 2-4. The autologon feature 
automatically enters the specified user name 
and password at startup. For most Windows 
users, this is a security risk. 


Set up a safe autologon option 


In general, we strongly discourage the 
use of autologon—especially when the 
default account is a member of the 
Administrators group. However, in one 
circumstance, autologon is safe and 
sensible. For a computer shared by 
several workers who log on with the 
same account, or for one set aside for 
use by the public (in the lobby of an 
office building, for example), it makes 
sense to set up a highly restricted 
user account and use it as the default 
account. In case of a power failure or 
accidental reset, the system will 
automatically start up with this default 
account rather than leaving users at a 
cryptic logon screen. 


Safeguarding the Security Accounts 
Manager 


The Security Accounts Manager stores account 
password information in the registry. Although 
this information is encrypted using a 128-bit 
encryption key, it presents a tempting target to 
attackers, as you might imagine. In Windows NT 
4, in fact, a number of well-publicized 
vulnerabilities made it possible for attackers to 
break into the SAM and extract the encrypted 
password values (called hashed values), after 
which they could work on the stored data with 
password-cracking utilities. Microsoft’s response 
was to tighten security with a utility called 
Syskey, introduced in Windows NT 4 Service Pack 
3. Syskey, which is enabled by default in 
Windows XP and Windows 2000 (it was optional 
in Windows NT 4), protects account information 
stored in the SAM by using multiple levels of 
encryption. (That is, the password information is 
encrypted by a per-user-account password 
encryption key, which is encrypted by a master 
protection key, which is encrypted by the startup 
key. Did you follow all that?) 


By default, the startup key is a machine- 
generated random key stored on the local 
computer. This ordinarily provides excellent 
protection for the password information in the 
registry. On a computer whose SAM has been 
protected with Syskey, it is nearly impossible for 
unauthorized users to extract the hashed 
passwords, even if they have physical access to 
the computer. On computers that require extra- 
high levels of protection, it’s possible to ratchet 
this already high level of security another notch, 
by removing the Syskey code from the computer 


and copying it to a floppy disk. For details on the 
pros and cons of this technique, as well as step- 
by-step instructions, see Adding Another Layer of 
Protection with Syskey. 


Using Group Policy to Restrict Access 


One of the most powerful features of Windows XP 
Professional and Windows 2000 is support for 
Group Policy settings. After logging on as an 
administrator, you can use a fairly straightforward 
tool called the Group Policy snap-in to define 
security settings for a local computer, to control 
more than 450 aspects of the operating system’s 
behavior, and to automate what happens at 
startup and shutdown and when users log on or 
off. (A part of the Group Policy snap-in, called 
Local Security Policy, handles a subset of these 
settings and can be a useful tool also.) Ona 
Windows domain, Group Policy is especially 
powerful, giving administrators complete control 
over user settings for everyone who logs on to 
the domain. 


The features described in this section 
do not work in Windows XP Home 


Edition. If you attempt to run the 
Local Security Policy snap-in, Windows 
displays an error message. 


To open the Group Policy console, enter 
gpedit.msc at a command prompt. Figure 2-5 
shows the resulting window, with the User Rights 
Assignment category expanded. 


“-Figure 2-5. Use the Group Policy console 
to adjust what users and groups can do on 
the local computer. 


Because Group Policy settings can be applied to 
users and groups, you can use this feature to 
customize security settings quite effectively. 
Items in the Computer Configuration category 
include access control settings for users and 
groups. Using settings in the Password Policy 


group, for instance, you can force all limited user 
accounts (members of the Users group) to create 
complex logon passwords, require that they 
change the password at regular intervals, and 
prevent them from reusing old passwords. 
(Unfortunately, there’s no policy that will keep 
users from writing passwords on sticky notes and 
slapping them on the side of their monitor!) 
Similarly, the User Rights Assignment section 
allows you to prevent certain users or groups 
from shutting down the computer or resetting the 
system clock. 


Settings listed under User Configuration apply to 
all users of the local computer and can be 
overridden only by an administrator. When you 
make changes in Group Policy in Windows XP 
Professional and Windows 2000, your new 
settings are stored in the registry. Most of the 
settings in this section are self-explanatory, with 
detailed descriptions available via online help. If 
you're using Group Policy under Windows 2000, 
you can see a detailed explanation when you 
double-click any item on the list. If you use 
Windows XP Professional, the same help text is 
visible on the Extended tab so that you can scroll 
through the list of settings and learn how each 
one works, as shown here, without having to 
open each item individually. 


For more details about using Group 
Policy, see Chapter 19, “Managing 


Security Templates.” 


Ensuring the Security of Files 


Among the most powerful security features of 
Windows XP and Windows 2000 are the ones that 
allow you to restrict access to files and folders, 
both on the local computer and across network 
shares. In this section, we look at the sometimes 
confusing mechanisms you need to master to 
take advantage of these features. 


Using NTFS Permissions 


For every object stored on a volume formatted 
with the NTFS file system, Windows maintains an 
access control list (ACL). As its name implies, this 
list defines which users are allowed access to that 
object—typically a file or folder—and which users 
are denied access. Individual items in the ACL are 
called access control entries (ACEs) and are made 
up of the following information: 


The SID for a user or group. 
(Remember that Windows uses 
SIDs, not user or group names, to 
keep track of access rights.) 


The list of permissions that make 
up the access right, drawn from a 
long list of basic and special 
permissions—Full Control, Read, 
and Write, for instance. 


Inheritance information, which 
determines whether and how 
Windows applies permissions from 
the parent folder. 


A flag that indicates whether access 
is being allowed or denied. 


Probably no subject in Windows XP and Windows 
2000 is more confusing than NTFS permissions. 
Figuring out the interaction of inherited 
permissions and determining which ones take 
precedence in the case of conflicts between 
individual and group ACEs can be daunting tasks. 
In Windows 2000, you can inspect these details 
by right-clicking an object, choosing Properties, 
and clicking the Security tab. As Figure 2-6 


shows, this tab offers a concise, although hardly 
intuitive, display of the current ACL. 


“-Figure 2-6. Deciphering the ACL for this 
folder can be a challenge. 


In Windows XP Professional, the Security tab is 
essentially the same (although it’s slightly better 
organized), but many Windows users never see it 
at all, thanks to a feature called Simple File 
Sharing. When this configuration option is 
enabled (as it is in a default installation on any 
computer that is not part of a Windows domain), 
Windows drastically reduces the number of 
options available to users and sets permissions 
only when you choose to make files in your 
personal profile private. On a computer running 
Windows XP Home Edition, Simple File Sharing is 
always on, and the only time you see the Security 
tab is when you boot into Safe Mode. 


For more details about Simple File 
Sharing, including instructions on how 


to disable it, see Viewing_and 
Changing NTFS Permissions. 


See all permissions at a glance 


Windows XP includes a new feature, 
not found in Windows 2000, that helps 
you sort out the interaction of 
permissions. This capability can be a 
helpful troubleshooting tool if you’ve 
assigned several sets of permissions 
to different users and groups and the 
results are not what you expect. To 
use this option, you must have Simple 
File Sharing disabled. Right-click the 
icon for an object, choose Properties, 
and then click the Security tab. Click 


Advanced, and then click the Effective 
Permissions tab to see a Summary of 
the access controls in effect for the 
selected object. 


By default, Windows 2000 does a fairly good job 
of setting permissions on default directories. If 
you store all your data in the My Documents 
folder associated with your personal profile, for 
instance, access is automatically restricted to 
your account, the System account, and the 
Administrators group. Windows XP does the same 
and goes a step further, adding an option to 
automatically make all files in your personal 
profile private, which removes the Administrators 
group from this list so that only you can access 
your personal files. Anyone else who logs on to 
the computer is locked out. 


Default permissions in other locations are less 
predictable, however. Under Windows 2000, if 
you create a new folder in the root of the C drive, 
the default permissions will assign Full Control to 
the Everyone group, which means that any users 
who log on to that computer can add, remove, or 
change files in that folder, even if they’ve logged 
on using the restricted Guest account. By 
contrast, when you create the same sort of folder 
under Windows XP, the default permissions allow 
limited users (including the Guest account) to 
read existing files and create new ones but not to 
rename, edit, or delete existing files. 


Learning the ins and outs of Simple File Sharing 
is essential to maintaining security with Windows 
XP. After you understand how this restricted 
menu of permissions works, you might choose to 
disable Simple File Sharing and return to the 
Windows 2000-style NTFS Security dialog box. If 


that’s your choice, it’s especially important to 
learn how to apply NTFS permissions properly. 


Sharing Files Over a Network 


In Windows XP and Windows 2000, any user who 
is a member of the Administrators or Power Users 
group can designate a folder for shared access. 
(Limited users cannot create a shared folder.) 
Sharing a folder has no effect on users who log 
on to the computer locally; it affects only users 
who want to access data over the network. 


Understanding the basics of shared folders is 
essential to maintaining the security of shared 
files: 


e When you share a folder, all files in 
that folder are available to network 
users with the appropriate 
permissions. You cannot selectively 
share individual files within a folder. 


e In Windows XP and Windows 2000, 
you can designate a shared folder 
as read-only, or you can give 
network users permission to change 
files in the shared folder. 


e You cannot assign a password to a 
shared folder (as you can in 
Windows 95/98 or Windows Me). 
You can, however, specify that 
some folders allow only read 
access, while others allow full 
access. 


e By default, Windows 2000 grants 
the Everyone group full access to a 
shared folder. You can change these 
permissions so that different users 
and groups have different levels of 


access (Full Control, Change, or 
Read) from the network. 


If files in a shared folder are 
secured with NTFS permissions, 
those permissions apply to anyone 
accessing the files over the 
network. Thus, even when 
permissions on a shared folder 
allow the Everyone group full 
access over the network, you can 
still lock out unauthorized users and 
groups by selectively applying NTFS 
permissions to files or to the folder 
itself. 


e When you use Simple File Sharing, 
Windows XP authenticates all 
access to shared folders using the 
Guest account. As a result, any 
shared folder is accessible to any 
user who can reach it over the 
network. This can cause an 
unacceptable security risk if a folder 
you want to share holds sensitive 
files. In that case, you must disable 
Simple File Sharing and use the 
Windows 2000-style sharing 
interface instead. The option to 
disable Simple File Sharing is not 
available with Windows XP Home 
Edition. 


For more details about sharing folders 


over a network, see Restricting 
Network Access to Files and Folders. 


Encryption Options 


On drives that use the NTFS file system, you can 
significantly increase the security of individual 
files and entire folders by encrypting those files. 
When you do so, Windows uses your public 
encryption key to encrypt the files so that they 
can be unlocked only by your private key, which 
is available only when you log on to your user 
account. The protection offered by the encrypting 
file system is essentially uncrackable. Even if 
intruders can gain access to the files, they will 
not be able to decrypt the data without your 
private encryption key, which is separate from 
your password. To an intruder, the encrypted files 
look like random combinations of letters and 
numbers and are literally unreadable. That’s good 
news if you’re trying to protect files from prying 
eyes. It’s very bad news, however, if you lose the 
encryption key. If you plan to use NTFS 
encryption, be sure to read Before You Begin: 
Learn the Dangers of EFS. 


Securing Your Computer: A 
Checklist 


Maintaining a secure computer isn’t something 
you do in your spare time every few weeks or 
months. The most effective security program is 
one that’s built around a sensible and 
comprehensive security policy. To get you 
started, we’ve put together a checklist of tasks 
you should perform right now to eliminate any 
existing security holes on your computer. 


1. Install All Windows Security Patches 


This task belongs at the top of the list, and for 
good reason. Without exception, every version of 
Windows ever released includes bugs and defects 
that open the door for intruders. Over time, as 
these security problems are identified, Microsoft’s 
developers release patches and updates 
(sometimes referred to as hotfixes) that repair 
the problems. At regular intervals, Microsoft 
releases service packs, which incorporate all bug 
fixes and security updates to that point. You can 
use any or all of the following options to 
determine which fixes are necessary for your 
computer: 


e In Windows XP, configure the 
Automatic Updates feature to check 
for critical updates at regular 
intervals. You can choose to receive 
notifications only, download the 
updates automatically, or (if you 
have Service Pack 1 installed) have 
Windows update your system files 
automatically. To configure this 
feature, open the Systems option in 
Control Panel (under Performance 
And Maintenance if you’re using 
Category view) and click the 
Automatic Updates tab. 


-Connect to the Windows Update 
online service manually to 
download and install all service 
packs and critical updates that are 
appropriate for your version of 
Windows. Point your browser to 
http://windowsupdate.microsoft.co 


m, or use the shortcut at the top of 
the Start menu, on the Tools menu 
in Microsoft Internet Explorer, or in 
the Help And Support Center in 
Windows XP. Windows Update scans 
your system using an Activex 
control and presents a list of 
suggested updates for point-and- 
click download and installation. 
Windows Update works with 
Windows 2000 and Windows XP as 
well as Windows 95/98/Me. 


Use the Microsoft Network Security 
Hotfix Checker (Hfnetchk.exe) to 
perform an inspection of your local 
computer or multiple computers on 
your network to identify missing 
hotfixes and service packs. This 
command-line utility uses an XML 
database to scan your operating 
system files. As the output in Figure 
2-7 shows, it identifies all currently 
installed service packs and patches, 
and recommends updates that 
might be appropriate for your 
computer but that are not currently 
installed. This utility is especially 
adept at identifying patches for SQL 
Server and other commonly used 
system components not covered by 
Windows Update. 


“-Figure 2-7. The Network 
Security Hotfix Checker 
recommends security patches 
that are appropriate for your 
current system setup. 


e Browse the list of security updates 
at Microsoft's Hotfix & Security 
Bulletin Service 
(http://www. microsoft.com/technet 
/security/current.asp), and 
download any patches that are 
appropriate for your computer or 
network. You can search the list by 
product and service pack number, 
or you can view the entire list in 
reverse chronological order, 
beginning with the most recent 
security bulletins. 


e Use the Microsoft Baseline Security 
Analyzer (MBSA) to analyze your 
local computer or your entire 
network for missing hotfixes. MBSA, 
which works with Windows NT 4.0, 
Windows 2000, and Windows XP, 
uses the HFNetChk technology and 
comes with a graphical user 
interface and command line 
version. In addition to scanning for 
missing hotfixes, MBSA scans and 
report on other system 
vulnerabilities in Windows, IIS, and 
SQL Server, including blank user 
account passwords, the file system 
type used, all available shares with 
their configured permissions, and 
more. 


Insist on timely updates 


Windows Update is a terrific and 
useful service, but for extremely 
security-conscious Windows users it 
might fall short. Windows Update 


includes patches for the Windows 
operating system and related 
components (including Internet 
Explorer and IIS); it does not offer 
updates for non-Windows products like 
SQL Server. In addition, you'll often 
find a delay of days or weeks between 
the time a security bulletin is 
published and when it is available on 
Windows Update. If you prefer to 
receive notification of security updates 
for all Microsoft products as soon as 
they’re released, subscribe to 
Microsoft’s Security Notification 
Service. To join the list, send a blank 
e-mail to securbas@microsoft.com. 


For more details about Windows 
Update, service packs, and hotfixes, 


see Chapter 7, “Keeping_Your System 
Secure.” 


2. Eliminate or Disable Unused 
Accounts 


One common avenue that intruders use to attack 
Windows is to look for user accounts that are 
poorly secured. On business networks, an all-too- 
common mistake is to fail to remove a user 
account after an employee quits or is fired. If the 
account remains active and the password is 
unchanged, a disgruntled ex-worker can break 
into the computer and steal data or sabotage the 
system. The potential for damage is even worse if 
the former employee has remote access 
privileges that haven’t been promptly revoked. To 
view the complete list of user accounts in 
Windows XP Professional or Windows 2000 
Professional, open the Local Users And Groups 
snap-in from the Computer Management console 
(Control Panel, Administrative Tools, Computer 
Management). 


See the complete list 


Don’t rely on the abbreviated list of 
user accounts that appears when you 
open Control Panel and choose User 
Accounts (Windows XP) or Users And 
Passwords (Windows 2000). This list 


shows only accounts that are available 
for local logon. Other accounts, such 
as those created by a FrontPage- 
enabled Web server or a virtual 
private network (VPN) connection, are 
hidden. 


Figure 2-8 shows the list of accounts on a 
computer running Windows XP Professional. To 
remove an account, right-click its entry in the 


Users list and choose Delete from the shortcut 
menu. To temporarily disable an account without 
removing its associated files and permissions, 
double-click its entry in the Users list and select 
the Account Is Disabled option on the General tab 
of the properties dialog box. 


“-Figure 2-8. Use the Computer 
Management console to identify and 
eliminate unused accounts so that they can't 
be accessed by intruders. 


Unfortunately, if you use Windows XP Home 
Edition, the Local Users And Groups option is 
missing from the Computer Management console, 
and trying to run it manually (either by adding 
the Local Users And Groups snap-in to an MMC 
console or entering the lusrmgr.msc command) 
produces only an error message. To work with 
the complete list of user accounts, try the net 
user command; you'll find full details in Disabling 
or Deleting User Accounts. 


3. Set Strong Passwords for All User 
Accounts 


Weak passwords are the would-be intruder’s best 
friend—a point we make repeatedly in this book. 
By default, all new accounts created in Windows 
XP have a blank password and belong to the 
Administrators group. If you’re serious about 
security, assign a password to every account; 
your password should be at least eight characters 
long and composed of a random selection of 
letters, numbers, and symbols that can’t be 
found in any dictionary. For details, see Creating 
Strong Passwords. 


4. Tighten Logon Security for All Users 


In Chapter 1, we discussed the tradeoffs between 
security and convenience. Tipping the balance too 
heavily in favor of convenience can be 
catastrophic to your security. Why make life 
easier for a would-be intruder? Forcing a secure 
logon can significantly decrease the likelihood 
that an unauthorized person will be able to break 
into your computer while you're away. 


To disable the Windows XP Welcome screen, open 
Control Panel and run the User Accounts option. 
Click Change The Way Users Log On Or Off and 
then clear the Use The Welcome Screen box. 
Click Apply Options to make the change effective. 
(Note that making this change disables the Use 
Fast User Switching option.) 


“If you're using the so-called classic logon 
prompt (the default setting in Windows 2000 and 
an option in Windows XP), configure Windows so 
that every user is required to press 
Ctrl+Alt+Delete and provide his or her password 
to log on. The Secure Logon option is available on 
the Advanced tab of the User Accounts dialog 
box, shown in Figure 2-9. Windows 2000 users 
can access these settings from the Users And 
Passwords option in Control Panel; if you’re using 
Windows XP in workgroup or stand-alone mode, 
enter the command control userpasswords2 to 
open this dialog box. 


“Figure 2-9. For additional logon security, 
select the option at the bottom of this dialog 
box so that every user must press 
Ctrl+Alt+Del to log on. 


Finally, make sure that the autologon feature is 
not enabled. Open the Users And Passwords 


dialog box as described in the previous 
paragraph, click the Users tab, and select the 
Users Must Enter A User Name And Password To 
Use This Computer option. 


For many more details about removing 
vulnerabilities in the logon process, see 


5. Install and Configure a Firewall 


A firewall is a system or software that controls 
the flow of traffic between networks and protects 
your computer or network from intruders. This 
extra layer of protection is especially important 
on any computer with an “always on” Internet 
connection, such as a DSL line or cable modem. 
Firewalls vary widely in their cost and features, 
but in general they consist of hardware, software, 
or a combination of the two, which prevents 
unauthorized users from interactively logging on 
to network resources from the outside. On most 
networks, a firewall acts as a single point of 
access to the outside world, making it easier to 
enforce security settings and to keep a log of 
intrusion attempts. 


Consider one or more of the following additions 
to increase security on a single computer or a 
small to medium-sized network: 


Configure custom ports The built-in Internet 
Connection Firewall (ICF) included with Windows 
XP effectively blocks all incoming traffic from the 
outside except on ports where you’ve requested 
data. The ICF is automatically configured when 
you run the Network Setup Wizard. Many 
Windows-based programs can work seamlessly 
through the firewall (all traffic from the local 
machine is allowed out), although you might 
need to configure some ports manually before 
you can run a third-party program that uses 
nonstandard ports. To adjust ICF settings, you 
must burrow deep into the Windows interface. 
Open the Network Connections option in Control 
Panel, double-click the icon for your Internet 
connection, click the Properties button, and click 
the Advanced tab. After making sure the Internet 


Connection Firewall option is selected, click the 
Settings button to display the dialog box shown 
in Figure 2-10. (For more details about how ICF 
works and how you can configure it, see Using 
Internet Connection Firewall in Windows XP.) 


Upgrade the firewall software Third-party 
firewall programs are appropriate for use with 
Windows 2000, which includes no firewall utility 
of its own, and for Windows XP administrators 
who want more protection than ICF provides, 
such as the capability to block or filter outbound 
traffic. In addition to intrusion detection and 
logging, many of these programs supply tools to 
help you configure traffic on a per-application 
basis, allow virtual private network connections, 
and alert you when intrusion attempts are taking 
place. 


“-Figure 2-10. Selecting any of these 
preconfigured options in the Windows XP 
Internet Connection Firewall allows traffic to 
flow through the firewall. Click the Add 
button to create custom settings for third- 
party programs. 


Add hardware protection Hardware-based 
firewall products range from simple routers, 
which offer Network Address Translation services 
and port filtering, to complex devices that inspect 
every packet entering a network to determine 
whether and how it should be allowed to pass. On 
small networks, the combination of a simple 
hardware device and desktop firewall software 
can be a very effective form of protection. (For a 
more detailed discussion of hardware-based 
firewall products, see Using_a Hardware Firewall 
Appliance.) 


6. Install and Configure Antivirus 
Software 


Given the pandemic spread of viruses on the 
Internet in recent years, it’s foolhardy to even 
think of connecting a computer to the Internet 
without robust, up-to-date antivirus software. 
Dozens of options are available, most at relatively 
modest prices. More important than installing the 
software, of course, is making sure that its virus 
signatures are current. The best antivirus 
programs include software agents that handle 
this chore automatically. 


After installing the software and the latest 
updates, scan your system to ensure that you're 
virus-free. 


7. Use NTFS for All Drives 


If you’ve upgraded from Windows 98 or Windows 
Me to Windows XP, one or more drives on your 
system might still be using the FAT32 file system. 
Even on a clean installation of Windows 2000 or 
Windows XP, you have the option to choose 
FAT32 or NTFS. Some users do choose FAT32, 
either from force of habit or because they want to 
be able to access the data on that drive from 
earlier versions of Windows. The security benefits 
of NTFS are overwhelming in comparison to 
FAT32 drives, however. Continuing to use FAT32 
is justifiable only on computers where data 
security is less important than the ability to boot 
into multiple operating systems. 


To quickly determine the file system in use on a 
given drive, open the My Computer window, 
right-click the icon for any drive, and choose 
Properties. The current file system is listed on the 
General tab, as shown here. 


“TO convert a FAT32 drive to NTFS, you must 
use the command-line Convert utility with the 
/FS:NTFS switch. If you attempt to run this 
command on a drive that contains Windows 
system files or the system paging file, Windows 
will schedule the conversion to take place at 
startup after you reboot the computer. 


Converting a FAT32 drive to NTFS ona 
computer that was upgraded to 
Windows XP from an earlier version of 
Windows can have unintended 
negative consequences for 
performance. For a discussion of the 
best way to carry out this conversion, 
see Chapter 26, “Managing Disks and 


Drives,” in our earlier book, Microsoft 
Windows XP Inside Out (Microsoft 
Press, 2001). 


8. Review NTFS Permissions on All Data 
Directories 


Tinkering with NTFS permissions is a tricky 
business. Unless you fully understand how these 
permissions work (including how permissions are 
inherited from higher-level folders and how 
permissions are transferred when folders or files 
are moved or copied), you should be wary of 
changing any permissions. In general, follow 
these guidelines whenever possible: 


e Use default storage locations. 
Install programs in subfolders 
under the Program Files folder and 
store personal data in the My 
Documents folder; in both cases, 
Windows applies a known set of 
permissions that you can tighten if 
necessary. If you have data files 
that are stored outside the default 
locations, consider moving them. 


e On Windows XP installations that 
are not joined to a domain, use the 
Simple File Sharing interface and 
the Network Setup Wizard to 
establish a baseline set of file and 
folder permissions. Afterward, you 
can modify these permissions as 
needed. 


e Test the effect of permissions by 
trying to access protected files from 
a limited account. Create a limited 
local account (Windows XP) or an 
account in the Users group 
(Windows 2000), log on with that 


account, and try to access files in 
the protected locations. (Be sure to 
eliminate or disable the test 
accounts when you're finished!) 


Go back to square one 


If you (or someone else) has 
experimented extensively with the 
default permissions on an existing 
Windows installation and you’re not 
confident that system and data files 
are properly protected, you can use a 
security template to reapply the 


default permissions to your computer. 
This procedure is fully documented in 
Knowledge Base article Q266118, 
“How to Restore the Default NTFS 
Permissions for Windows 2000.” We 
discuss the Security Configuration And 
Analysis snap-in and the built-in 
Windows security templates in Using 
Security Templates. 


9. Review All Network Shares 


Windows allows you to specify that all files in a 
particular folder should be available for sharing 
with other users over the network. You can create 
a multitude of individual shares on your computer 
for use with individual projects. If you’re not 
meticulous about cleaning up after each project is 
finished, however, you could end up with shared 
folders that are open to view by anyone on the 
network. Every so often, it’s a good idea to 
review the complete list of network shares and 
eliminate any that are no longer needed. To see 
the full list of shares, open Control Panel’s 
Administrative Tools folder and double-click the 
Computer Management icon. In the Computer 
Management window, double-click Shared Folders 
and then click Shares. Figure 2-11 shows one 
such list. 


“-Figure 2-11. Inspect the list of shares 
regularly and remove any that are no longer 
needed. 


In Windows 2000, you can right-click any entry in 
the Shares list and inspect its properties or 
remove the share. In Windows XP Professional, 
these options are available only if you’ve disabled 
Simple File Sharing; in a default, nondomain 
installation of Windows XP Professional, this list is 
read-only. That’s also true on a computer running 
Windows XP Home Edition, where Simple File 
Sharing cannot be disabled. 


In Windows XP Home Edition and Windows XP 
Professional with Simple File Sharing enabled, 
you can use Windows Explorer to stop sharing a 
folder. Right-click the icon of the shared folder, 
choose Properties, and click the Sharing tab. 


Under Network Sharing And Security, clear the 
Share This Folder On The Network box. 


Windows XP Professional and Windows 
2000 Professional include a long list of 
administrative shares whose names 
end with a dollar sign. For instance, 
every drive includes an administrative 
share that consists of the drive letter 
and a dollar sign (C$ for the C drive, 
for instance); these administrative 
shares are accessible to anyone in the 
Administrators group. If you’re using 
Windows 2000 Professional or 
Windows XP with Simple File Sharing 
disabled, you can right-click the entry 
for any default share and choose Stop 
Sharing. However, Windows will 
automatically create the share the 
next time you restart the computer. 


To permanently remove an 
administrative share from Windows XP 
Professional or Windows 2000 
Professional, open Registry Editor 
(Regedit.exe) and navigate to the 
registry key 
HKLM\SYSTEM\CurrentControlSet\Ser 
vices\lanmanserver\parameters. 
Right-click the key name and choose 
New, DWORD Value. Give it the name 
AutoShareWks and use the default 
value of 0. After making this change, 
the administrative shares will no 
longer be re-created after each 
restart. 


Removing the default shares on drives 
that contain program or data files is a 
sensible security precaution. Don’t 


delete the ADMIN$ or IPC$ shares, 
however. These are system-level 
shares that are invisible to network 
browsing and are not available for 
interactive use; they’re essential for 
interprocess communications and 
remote administration. 


10. Use Your Screen Saver as a 
Security Device 


With modern monitors, screen savers aren’t 
really needed to prevent images from “burning 
in” to a CRT or flat-panel display. But a properly 
configured screen saver can be a valuable 
security aid, especially in homes and offices 
where physical security is lacking and you're 
often away from your desk. Open the Display 
option in Control Panel and click the Screen Saver 
tab. Select any screen saver, and then adjust the 
following two options, as shown in Figure 2-12: 


e Select the On Resume, Password 
Protect box (Windows XP) or the 
Password Protected box (Windows 
2000). 


e In the Wait box, dial the default 
setting down to the minimum level 
you can tolerate. For maximum 
security, make this value no more 
than 5 minutes. This is the period 
that Windows will wait following any 
inactivity before the screen saver 
kicks in. 


“-Figure 2-12. To make it 
more difficult for unauthorized 
users to access your computer 
when you step away from it, 
set screen saver options as 
shown here. 


11. Create a Backup 


Accidents happen. Even the most security- 
conscious Windows user can fall victim to a power 
failure, a hardware glitch, or an attack that slips 
through a newly discovered security hole. 
Regardless of the cause, it’s crucial that you have 
a reliable current backup at all times so that you 
can quickly recover data that’s been damaged or 
destroyed. We discuss your backup options in 
detail in Chapter 6, “Preventing Data Loss.” Make 
a backup plan, and then make a backup. 


Advanced Security Options 


The 11 steps outlined in the previous sections 
apply to every Windows user. The suggestions in 
this section include steps that aren’t essential but 
might be useful to advanced users or those with 
special configurations. 


Configure Windows Explorer to show all file 
name extensions Some viruses and Trojan 
horse programs use a cheap trick to try to slide 
past a Windows user's defenses, adding a 
second, innocent-looking file name extension to 
disguise the true executable extension. Ina 
default Windows installation, extensions are 
hidden. As a result, a file with the name 
Letter.doc.vbs will appear to a casual user as 
Letter.doc. Sophisticated Windows users will have 
no trouble seeing through this trick, but a less 
experienced or distracted user might be fooled 
long enough to launch a dangerous file. To 
protect yourself, open Windows Explorer and 
choose Tools, Folder Options. On the View tab, 
clear the Hide Extensions For Known File Types 
box, as shown in Figure 2-13. 


“-Figure 2-13. Display all file name 
extensions so that you can more easily 
detect hostile software that tries to hide its 
true extension. 


For a discussion of how hostile 
software uses multiple file name 


extensions to attack Windows, see 
Identifying Malicious Software. 


Selectively show extensions 


If you can’t stand the clutter caused 
by the full display of file name 
extensions, you can customize specific 
file types so that their extensions are 
always visible, while still keeping 
other, less dangerous extensions 
hidden. If you’re concerned about files 
with the .vbs, .pif, and .scr extensions, 
for instance, you can ensure that 
those extensions are always visible by 
following the steps outlined in Blocking 
Dangerous Attachments. You can also 
use a custom script to toggle the 
display of file name extensions and 
hidden folders as needed; the CD 
included with Microsoft Windows XP 
Inside Out includes one such script, 
called ToggleHiddenExplorerStuff. 


Adjust Internet Explorer security options 
The zone-based security settings in Internet 
Explorer 6 provide excellent protection against 
most garden-variety attacks. Advanced security 
options allow you to significantly increase the 
level of security in your browser. We explain 
these options in full in Chapter 8, “Making 
Internet Explorer Safer.” 


Adjust Internet Explorer privacy options Are 
you concerned that browser cookies are 
disclosing too much information about you? 
Internet Explorer 6 uses a fairly complex system 
to control the information that flows between you 
and Web sites. You can customize these settings 
significantly by using the built-in privacy controls 
in Internet Explorer 6, shown here. If you’re 
willing to roll up your sleeves and work with XML 
files, you can create and share custom privacy 


settings as well, as we document in Setting 
Cookie Preferences in Internet Explorer 6. 


“.Review saved passwords and form data 
in Internet Explorer By default, all versions of 
Internet Explorer offer to save form data, user 
names, and passwords for Web sites you visit. 
This saved information can unintentionally reveal 
information about you, such as searches you've 
made, and can allow unauthorized users to 
access password-protected Web sites that contain 
confidential information about you. Your 
browser’s history can also divulge sites you’ve 
visited. Read Covering Your Tracks, to learn how 
to configure these features to match your 
preferences and how to eliminate any stored 
information. 


Obtain a personal certificate for signing and 
encrypting e-mail Electronic mail is not secure. 
If you routinely send and receive sensitive mail, 
consider purchasing and installing a personal 
digital certificate from a certification authority 
such as VeriSign or Thawte Technologies. This 
option allows you to digitally sign and encrypt 
messages so that they can’t be read or tampered 
with by anyone who intercepts the traffic. We 
provide full instructions (and a number of 
important cautions) in Chapters 4 and 9; see 
Obtaining_a Personal Certificate, and Protecting 
E-Mail from Prying Eyes. 


Restrict executable file attachments in e- 
mail The overwhelming majority of viruses that 
attack Windows arrive via e-mail. Recent versions 
of Microsoft Outlook (a component of Microsoft 
Office) and Outlook Express 6 restrict a user’s 
ability to view, save, or execute file attachments 
whose extensions are on a restricted list. These 
features are controversial, and their 


implementation varies widely, depending on the 
specific e-mail client you use. In Outlook 2002, 
for instance, certain file types are automatically 
blocked, and the user cannot disable or tweak 
this setting. In Outlook Express, by contrast, the 
option to block dangerous attachments is turned 
off by default, as shown here. We explain your 
options fully in Blocking Dangerous Attachments. 


“-Set up virtual private network 
connections for remote access If you need to 
allow remote access to a computer on your 
network, set up a VPN connection, restrict it to 
only those users who need access, and protect 
those accounts with strong passwords. VPN 
connections encrypt traffic over the Internet and 
provide dramatically better security than other 
remote access options. For Windows 2000, the 
complete set of steps is described in Knowledge 
Base article Q257333, “How to Configure 
Windows 2000 Professional to Windows 2000 
Professional Virtual Private Network Connections.’ 
In Windows XP, you can use the Create A New 
Connection Wizard in the Network Connections 
folder to quickly create a VPN connection. To 
explore VPN connections in depth, read Setting 
Up a Virtual Private Network. 
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Set up encryption for wireless networks Do 
you have a wireless network? Unlike conventional 
wired networks, wireless networks add security 
risks. Unless you take special precautions, 
anyone who roams into the range of your 
wireless access point can intercept network traffic 
and potentially break into any computer on the 
network. You have a number of configuration 
options; we explain how to tighten wireless 
security in Chapter 16, “Wireless Networking_and 
Remote Access.” 


Chapter 3 


Managing User Accounts and 
Passwords 


In this chapter, we explain how to create and 
customize one of the basic building blocks of 
security in Microsoft Windows XP and Windows 
2000: the user account. Carefully managing user 
accounts allows you to increase your level of 
security dramatically by imposing restrictions and 
granting privileges to particular users or groups 
of users. This is a fundamental difference from 
how security is implemented in the Windows 9x 
family (including Windows 95/98 and Windows 
Me). In operating systems based on Windows 9x 
code, security—such as it is—is applied by 
assigning a single password that controls all 
access to a resource (such as a shared folder). 
Anyone who knows or can crack the password for 
a shared resource can gain access to it. A 
Windows 9x user can assign separate passwords 
for read-only access and for read-write access, 
but he or she cannot control access on a per-user 
basis. 


Passwords are another main topic of this chapter, 
and we explain how to use them effectively. By 
appropriately applying password policies and 
practices, you can minimize the chance that an 
attacker will figure out your password and gain 
access to your protected information, plant a 
Trojan horse on your computer, or do other 
damage. 


With user accounts and passwords firmly 
established, the next step is to put them together 
in the logon process. Making the logon process 
more secure is the final topic of this chapter. 


Security Checklist: User Accounts 
and Passwords 


Here’s a quick checklist of security 
practices you can follow to secure your 
user accounts, passwords, and logon 


process. 


Some items might not be 


appropriate for your situation; review 
the information in this chapter before 
you forge ahead. 


Create a user account 
for each person who 
uses the computer. 


Disable or delete 
unnecessary accounts. 


Assign each account to 
appropriate security 
groups. 


Assign a strong 
password to each 
account. 


Secure the built-in 
Administrator account. 


Set password policies to 
ensure that users create 
strong logon passwords 
and change them 
regularly. 


Create a Password Reset 
Disk. 


Use a password- 
management program to 


securely manage your 
collection of passwords. 


Disable the Welcome 
screen in favor of the 
classic logon screens. 


Require users to press 
Ctrl+Alt+Delete and 
enter a user name and 
password before logging 
on. 


Display a legal notice 
that warns users about 
unauthorized logon 
attempts. 


Set account lockout 
policies to lock out 
password guessers. 


For ultra-high-security 
needs, consider 
removing the system’s 
startup key so that a 
password or floppy disk 
is required before the 
logon screen appears. 


Managing User Accounts for Security 


Because so much in Windows security depends on the identification of users, 
the first step in securing your computer and your network should be to 
configure your user accounts. You'll need to do the following: 


e Create a user account for each person who uses the computer. 
e Disable or delete unnecessary accounts. 
e Assign each account to appropriate security groups. 


e Assign a strong password to each account. 


In the following sections, we explain how to perform each of these security- 
related tasks. As you might imagine, you can configure a number of other 
options for local user accounts—everything from changing the picture that 
appears on the Welcome screen and at the top of the Start menu to specifying 
a profile and a logon script. Windows XP users can find information about those 
topics in our earlier book, Microsoft Windows XP Inside Out (Microsoft Press, 
2001). 


Domain user accounts, which are stored in Active Directory on a server running 
Microsoft Windows 2000 Server or Windows .NET Server, offer a wealth of 
additional configuration options, including phone numbers, mailing addresses, 
and much, much more. Active Directory configuration and, indeed, security 
options for an Active Directory-based domain are topics beyond the scope of 
this volume. Microsoft Press offers a number of books on these topics, 
including Microsoft Windows 2000 Security Technical Reference, by Internet 
Security Systems, Inc. (Microsoft Press, 2000). 


For an explanation of how user accounts identify each user on your 
computer and on your network and how they fit into the overall 
security infrastructure of Windows, see What Are User Accounts?. 


Finding the Account-Management Tools 


With Windows 2000, you have a choice of three methods for creating and 
maintaining user accounts: 


Users And Passwords. Located in Control Panel, Users And Passwords 
provides a simple dialog box for performing common tasks. Although the 
capabilities of this tool are few (you can add or remove local user accounts, set 
passwords, and place a user account in a single security group), it has a 
handful of unique abilities that aren’t available with the other GUI (graphical 
user interface) tools. With this tool, you can 


e Change an account’s user name 
e Configure automatic logon 


e Configure the Ctrl+Alt+Delete requirement 


(For information on these last two features, see Configuring the Logon Process 
for Security). 


To start Users And Passwords, shown in Figure 3-1, open Control Panel and 
double-click Users And Passwords. 


Figure 3-1. Users And Passwords in Windows 2000 has a Windows XP 
counterpart, called User Accounts, that is nearly identical in appearance 
and function. You can open User Accounts by typing control 
userpasswords2 at a command prompt. 


Local Users And Groups. This Microsoft Management Console (MMC) snap-in, 
shown in Figure 3-2, provides access to more account-management features 
than Users And Passwords and is friendlier than the command-line utilities 
(described next). You can start Local Users And Groups in any of the following 
ways: 


e In Computer Management (under Administrative Tools in Control 
Panel), open System Tools\Local Users And Groups. 


e At a command prompt, type lusrmgr.msc. 


e In Users And Passwords, click the Advanced tab and then click 
the Advanced button. 


Figure 3-2. Local Users And Groups, like most MMC 
consoles, resembles Windows Explorer. 


Net commands. Two command-line utilities, Net User and Net Localgroup, 
although not particularly intuitive, provide the most complete and direct access 
to various account tasks. 


For detailed information on these commands, type net help user or net help 
localgroup at a command prompt. For a quick refresher course on the syntax 
and available options, type net user /? or net localgroup /?. 


Use a Command Prompt window for Net commands 


Although you can issue Net commands in the Run dialog box (and 
they will be effective), you should always open a Command Prompt 
window and enter the commands there instead. That’s because Net 
displays the command results in the same window; if you enter the 
command in the Run dialog box, the window closes before you have 
a chance to see the results. (To open a Command Prompt window, 
press the Windows logo key+R to open the Run dialog box, type 


cmd, and press Enter. If your keyboard doesn’t have a Windows 
logo key, open the Start menu and choose Run.) 


Windows XP offers a fourth, simpler tool for managing user accounts: 


User Accounts. This wizard-based account-management tool, shown in Figure 
3-3, is designed for novice computer administrators. Its choices are limited, 
but it provides assistance every step of the way. To start User Accounts, open 
Control Panel and double-click User Accounts. 


“Figure 3-3. Choosing User Accounts in Control Panel on a Windows XP 
computer that’s not joined to a domain offers this friendly face. 


If your computer is running Windows XP Professional and is joined 
to a domain, opening User Accounts in Control Panel produces a 
version of User Accounts that’s nearly identical to Users And 
Passwords in Windows 2000. 


In Windows 2000, all three tools—Users And Passwords, Local Users And 
Groups, and Net commands—are available in all editions. With varying degrees 
of ease, these tools allow an administrator to perform the basic tasks of 
creating, modifying, and deleting local user accounts and security groups. 
Which one you choose depends in large measure on which user interface you 
prefer: Do you like the direct, concise method of working with a command-line 
interface? Or do you prefer the friendly guidance provided by a graphical 
interface? Are you comfortable working with MMC consoles? Do you want to 
automate account-management procedures with batch programs? 


Selecting an account-management tool in Windows XP becomes a little more 
complicated (in part because of its developers’ zeal to make things simpler): 


e If you have Windows XP Home Edition, Local Users And Groups is 
not available. (You can start the program, but it won't let you do 
anything.) 


e If your computer is in a workgroup, clicking User Accounts in 
Control Panel displays the new, simplified version of User 
Accounts. If you prefer to work with the version that resembles 
Users And Passwords in Windows 2000, type control 
userpasswords2 at a command prompt. (To add to the 
confusion, the title bar identifies both versions as User Accounts.) 


e As noted earlier, if your computer is joined to a domain, clicking 
User Accounts in Control Panel displays the Windows 2000-style 
User Accounts dialog box. The simple version of User Accounts is 
not available. 


None of the tools can perform all account-related tasks, so for certain tasks 
your choice of user-management tool is dictated by each tool’s capabilities. 
Table 3-1 shows which common tasks for managing local user accounts you 
can perform with each of the four tools. 


Table 3-1. Local User Account-Management Tasks 


Users And Local 

Task Passwords (User Users Net User 
Accounts in And Commands Accounts+ 
Windows XP) Groups 

Create user Yes Yes Yes Yes 


account 


Task 


Delete user 
account 


Place account 
in a security 
group 


Change user 
name 


Change full 
name 


Change 
description 


Change 
picture 


Seta 
password 


Set a 
password hint 


Set password 
restrictions 


Set logon 
hours 


Enable or 
disable 
account 


Unlock 
account 


Set account 
expiration 
date 


Users And 


Passwords (User 


Accounts in 
Windows XP) 


Yes 


Yes, but you can 
add an account to 


only one group 


Yes 


Yes 


Yes 


No 


Yes, but only fora 
local account other 
than the one with 


which you're 


currently logged on 


No 


No 


No 


No 


No 


Local 
Users 
And 
Groups 


Yes 


Yes 


Yes 


Yes 


Yes 


No 


Yes 


No 


Yes 


No 


Yes 


Yes 


No 


Net 
Commands 


Yes 


Yes 


No 


Yes 


Yes 


No 


Yes 


No 


Yes 


Yes 


Yes 


Yes 


Yes 


User 
Accounts! 


Yes 


Yes, but you 
can add an 
account only 
to the 
Administrators 
group or the 
Users group 


No 


Yes 


No 


Yes 


Yes 


Yes 


No 


No 


Yes, but only 
the Guest 
account 


No 


No 


Users And Local 


Task Passwords (User Users Net User 
Accounts in And Commands Accounts! 
Windows XP) Groups 

Specify No Yes Yes No 

profile and 

logon script 

Link account Yes No No Yes 


to Microsoft 
.NET Passport 
(Windows XP 


only) 


For managing local security groups, you'll need to use either Local Users And 
Groups or the Net Localgroup command. Both of these tools allow you to 


e Create a local security group 
e Delete a group 
e Rename a group 


e Set group membership by adding or removing local user accounts 
and groups 


e Add a domain user account to a local security group 


Add your domain user account to a local group 


Users And Passwords (called User Accounts in Windows XP) lets you 
perform only one group-management task—but it’s an essential one 
if your computer is a member of a domain. With Users And 
Passwords you can add a domain user account to a local security 
group, giving your domain account (presumably the one with which 
you normally log on) privileges on your local computer. To do that, 
follow these steps: 


1. In Control Panel, open Users And Passwords (Windows 
2000) or User Accounts (Windows XP Professional). 


2. Select the name of the domain user account that you 
want to add to a local group, and then click 
Properties. 


3°*Select Other and then select the name of the 
group to which you want to add the selected account. 


You might, for example, want to add your domain account to the 
local Power Users group, thereby granting to it in one fell swoop all 
the rights, privileges, and responsibilities of a local power user. 


Creating User Accounts 


When you set up Windows on a new computer, you might have user accounts 
for yourself and others who use your computer, or you might have only an 
Administrator account, depending on the options you choose during setup. If 
you upgrade a computer that previously had user accounts, those accounts are 
retained. In any case, you should be sure that you have an account for each 
user. If you need to create an account, you can use any of the four tools, as 
follows: 


e With Users And Passwords, click the Add button on the Users tab. 
The Add New User Wizard then leads you through the steps of 
selecting a user name, assigning a password, and adding the 
account to a local security group. 


Troubleshooting 
The Add button is unavailable. 


If the Add button on the Users tab of Users And 
Passwords appears dimmed, select the Users Must 
Enter A User Name And Password To Use This 
Computer check box. If the check box is already 
selected (or if it doesn’t appear, which is the case if 
your computer is joined to a domain), be sure you're 
logged on with an account in the Administrators or 
Power Users group. 


In Local Users And Groups, right-click Users in the console tree 
and choose New User. Complete the information in the New User 
dialog box, shown in Figure 3-4, and then click Create. The dialog 
box remains open so that you can create another user account; 
click Close when you've finished creating accounts. 


To create a user account with the Net User command, you use 
the form net user username /add, where username is the user 
name of the account you want to create. You might also want to 
include other command-line parameters to configure the account. 
Table 3-2 lists the parameters that are most useful in setting up 
new accounts. For example, you might enter a command and see 
results such as the following: 


C:\>net user jan /add /fullname:"Jan Siechert" /randor 
Password for jan is: x@WY$52N 
The command completed successfully. 


Figure 3-4. Local Users And Groups presents a 
straightforward dialog box that lets you provide all the basic 
account information in one place. 


Table 3-2. Net User Parameters for Adding Accounts 


Parameter Description 


/Add Creates a new user account. The user name can 
contain a maximum of 20 characters and can’t contain 
any of these characters: ”/\[]:; |=,+*?<> 


Parameter 


password or * or 
/Random 


/Fullname:”name” 


/Comment:”text” 


/Passwordchg:yes 
or 
/Passwordchg:no 


/Active:no or 
/Active:yes 


/Expires:date or 
/Expires:never2 


/Passwordreq:yes 
or 
/Passwordreq:no2 


/Times:times or 
/Times:all2 


Description 


Sets the password. If you type an asterisk (*), Net 
User prompts for the password you want to assign; it 
does not display the password as you type it. The 
/Random switch generates a hard-to-crack, eight- 
character password. 


Specifies the user’s full name. 


Provides a descriptive comment (maximum length of 
48 characters). 


Specifies whether the user is allowed to change the 
password. 


Disables or enables the account. (When an account is 
disabled, the user can’t log on or access resources on 
the computer.) 


Sets the expiration date for an account. For date, use 
the short date format set in Regional Options in 
Control Panel. The account expires at the beginning of 
the day on the specified date; after that time, the user 
can’t log on or access resources on the computer until 
an administrator sets a new expiration date. 


Specifies whether the user account is required to have 
a nonblank password. 


Sets the times when the user is allowed to log on. For 
times, enter the days of the week you want to allow 
logon. Use a hyphen to specify a range of days or use 
a comma to list separate days. Following each day 
entry, specify the allowable logon times. Separate 
multiple entries with a semicolon. For example, use 
M-F,8am-6pm;Sa,9am-ipm to restrict logon times 
to those work hours. Use All to allow logon at any 
time; a blank value prevents the user from ever 
logging on. 


e In User Accounts, you create an account by clicking its 
convenient Create A New Account link. You need to supply only a 
name for the account and decide whether you want the account 
to be a computer administrator account or an account with 
limited privileges. To configure other options—including setting a 
password—you must make changes after you create the account. 


User Name vs. 


Full Name 


Each of the account-management tools allows you to specify a user 
name and a full name. (User Accounts uses the name you provide 
as both the user name and the full name.) What’s the difference? 


The user name is the name used internally by Windows, and it’s 
how you refer to the account in most places. You use it when you 
log on without the benefit of the Welcome screen and when you 
specify the account name in various commands and dialog boxes for 
setting permissions. The full name is the “friendly” name that 
appears on the Welcome screen and at the top of the Start menu in 
Windows XP, as well as in a few other places. It’s there for your 
convenience only and isn’t needed by Windows. 


Disabling or Deleting User Accounts 


Every user account offers a potential entry point for an attacker. Therefore, it’s 
good practice to disable or delete user accounts that are no longer needed. If 
an employee leaves your company, for example, you should immediately 
disable his or her account. (Disabling an account prevents the user from 
logging on or accessing the computer’s resources, but it leaves the account 
information, its certificates, and its private files intact. If you need to use the 
account later, you simply enable it again.) When you're certain that you won’t 
need access to any of the account’s private information, you should delete it. 


To disable (or subsequently re-enable) an account, use either of these 
methods: 


e In Local Users And Groups, double-click the account to display 
the General tab of the properties dialog box. Then select or clear 
the Account Is Disabled check box. 


e In a Command Prompt window, type net user username 
/active:no (where username is the account’s user name) to 
disable an account. To enable an account, enter net user 
username /active:yes. 


Disable the Guest account with user rights 


In User Accounts, you can effectively disable or enable the Guest 
account (but no other accounts). Click the Guest account and then 
click Turn Off The Guest Account or Turn On The Guest Account. In 
fact, enabling or disabling the Guest account in this manner does 
not set the account’s active status, as the other methods do. When 
you “turn off” the Guest account, Windows adds Guest to the list of 
accounts with the Deny Logon Locally user right assigned. (This is 
actually a side effect of the way Windows XP uses the Guest account 
for network access when Simple File Sharing is enabled.) 


If you have Windows XP Professional, you can verify this in Local 
Security Settings, which you can start by typing secpol.msc in the 
Run dialog box. Open Security Settings\Local Policies\User Rights 
Assignment and look at the Deny Logon Locally right. For more 
information about user rights and Local Security Settings, see 
Chapter 19, “Using Group Policy and User Rights to Restrict Users.” 


Deleting an account prevents anyone from logging on with the account. Once 
this change is made, it’s permanent. You can’t restore access to resources for 
which the user currently has permission by re-creating the account. These 
resources include the user’s encrypted files, personal certificates, and stored 
passwords for Web sites and network resources as well as files. Access is 
denied because permissions are linked to the account's original security 
identifier (SID)—not the user name. Creating a new account—even one with 
the same user name and password as the account you deleted—produces a 
new SID, which will not have the same access privileges as the original 
account. 


Unless you're absolutely certain that you won't ever use Remote 
Assistance to obtain help from another user, you shouldn’t delete 
the built-in HelpAssistant or SUPPORT_xxxxxxxx accounts (Windows 
XP only). Instead, you should be sure that these accounts are 
disabled. (They'll be enabled automatically when you use features 
that depend on them.) 


You can delete any account except the built-in Administrator and Guest 
accounts or an account that is currently logged on. To delete an account, you 
can use the account-management tool of your choice, as follows: 


e In Users And Passwords, on the Users tab select the name of the 
account you want to delete and click Remove. 


In Local Users And Groups, click Users in the console tree to 
display the list of users in the details pane. Right-click the name 
of the account you want to delete and choose Delete. 


To delete an account with the Net User command, use the form 
net user username /delete, where username is the account’s 
user name. 


To delete an account with User Accounts, click the name of the 
account you want to delete. Then click Delete The Account. User 
Accounts gives you a choice, shown in Figure 3-5, about what to 
do with the account's files: 


“Figure 3-5. When you delete an account with User 
Accounts, Windows XP also deletes the user profile, but it 
gives you an opportunity to save the user’s files in a folder 
on your desktop. 


e Keep Files. If you select Keep Files, Windows 
copies the user’s files and folders from the desktop 
and the My Documents folder to a folder on your 
desktop, where they become part of your profile 
and remain under your control. The rest of the user 
profile—such as e-mail messages and other data 
stored in the Application Data folder, Internet 
favorites, and settings stored in the registry—is 
deleted after you confirm your intention in the next 
window that appears. 


Delete Files. If you select Delete Files and confirm 
your choice in the window that follows, Windows 
deletes the account, its user profile, all files 
associated with the account (including those in its 
My Documents folder), and its registry settings. 


Delete user profiles and registry settings, too 


If you use a tool other than User Accounts to delete an account, the 
account’s profile continues to occupy space in the Documents And 
Settings folder and in the registry. Purging these unused items by 
deleting files with Windows Explorer and editing the registry directly 
can be risky; it’s too easy to delete the wrong folders or keys. 
Instead, right-click My Computer and choose Properties to open the 
System Properties dialog box. In Windows 2000, click the User 
Profiles tab; in Windows XP, click the Advanced tab and then click 
Settings under User Profiles. Select the account named Account 
Unknown (the deleted account) and click Delete. (If the Delete 
button is not available, log off all users and then log on again.) 


wa 


Assigning User Accounts to Security Groups 


With your computer's list of users now refined to include everyone who uses 
the computer and no one else, you should assign each user to one or more 
security groups. The built-in security groups have predefined rights and 
permissions that are appropriate for broad classes of users, and they are 
usually all you need for stand-alone computers and small networks. (For 
details, see Roles of Security Group Members. 


To assign a user account to only one group, you can use any of the account- 
management tools, as explained here. If you want to add an account to more 
than one group (which is likely only if you’re using groups other than the built- 
in ones), you must use either Local Users And Groups or the Net Localgroup 
command. 


e In Users And Passwords, click the Users tab and then double-click 
the user name for the account you want to change. In the 
properties dialog box that appears, click the Group Membership 
tab and then select a security group, as shown in Figure 3-6. 


Figure 3-6. This dialog box lets you place an account in 
any single local security group. 


When you add an account to a group using Users And 
Passwords, Windows removes the account from any 
other local groups the account was in. An account that 
is a member of the Remote Desktop Users group and 
the Administrators group, for example, loses 
membership in both those groups if you use this tool 
to move the account to the Power Users group. 


Avoid Standard User in Windows XP Home 
Edition 

All versions of Windows 2000 and Windows XP let you 
assign an account to the Power Users group by 
choosing Standard User in the dialog box shown in 
Figure 3-6. This choice produces a flurry of error 
messages in Windows XP Home Edition, however, 
because Home Edition does not have a built-in Power 
Users group. Although you could prevent the error 
messages by using the Net Localgroup command to 
create a Power Users group, doing so wouldn’t have 
the intended effect. Simply creating a group with that 
name doesn’t confer the predefined rights, 
restrictions, and permissions that the built-in Power 
Users group in Windows XP Professional enjoys. Your 
best bet: If you have Home Edition, avoid choosing 
Standard User. 


e Local Users And Groups provides the best tool for managing 
group memberships. You can approach the task in either of two 
ways: 


e To manage the group memberships for a single 
user account, click Users in the console tree. With 
user accounts displayed in the details pane, double- 
click a user name and then click the Member Of tab 
in the properties dialog box that appears, shown in 
Figure 3-7. Click Add and complete the ensuing 


dialog box to add the user account to a group, or 
select a group and click Remove to delete the 
account from the group. 


“Figure 3-7. From Local Users And Groups, 
use the Member Of tab to review and manage 
a user’s group memberships. 


e To manage the group memberships for a single 
security group, click Groups in the console tree. 
With groups displayed in the details pane, double- 
click a group name to see a list of the group’s 
members. See Figure 3-8, which shows the security 
group's properties dialog box. Click Add to adda 
user account to the group, or select an account and 
click Remove to delete the user from the group. 


Figure 3-8. Local Users And Groups displays a list of user 
accounts in a particular security group. 


e The Net Localgroup command uses the form net localgroup 
group usernames /add (where group is the security group 
name and usernames is one or more user names, separated by 
spaces) to add an account to a user group. For example, to add 
Jan and Muir to the Power Users group, use this command: 


C:\>net localgroup "power users" jan muir /add 
The command completed successfully. 


To delete one or more group members, use the same syntax, 
replacing the /Add switch with /Delete. Note that the group 
membership changes you make with Net Localgroup do not affect 
a user account’s membership in other security groups. 


e With User Accounts, you can assign an account only to the 
Administrators group or the Users group. An account's 
membership in either of those groups is deleted when you switch 
the account to the other group; however, all the account’s 
additional group memberships remain unchanged. To make the 
change, click the account name in User Accounts. Then click the 
Change The Account Type link. 


Best Practices for Your Everyday Account 


By default, each user account you create during Windows XP setup 
(as well as those migrated during an upgrade from Windows 98 or 
Windows Me) becomes a member of the Administrators group. This 
account assignment is for convenience because administrative 
privileges are needed to run many programs (particularly older 
programs that were written without regard for security). But it’s 
definitely not the most secure way to operate, and you should 
demote all users—yourself included—to less privileged groups if 
possible. Always running as a computer administrator makes your 
computer and your network more vulnerable to attacks from viruses 
and Trojan horses, simply because administrative accounts have all 
the requisite privileges to start such processes, albeit inadvertently. 


Even if your programs run properly without administrative 
privileges, you'll almost certainly need to log on as an administrator 
to install most programs and occasionally to perform other 
administrative tasks, such as managing user accounts. (In 


particular, nearly all the procedures described in this chapter require 
administrative privileges.) Therefore, we suggest the following 
strategy: 


e Log on as Administrator (or another administrative 
account you create for the purpose) and move all 
other accounts from the Administrators group to the 
Power Users or Users group. Log off and then use your 
normal (non administrative) account for everyday use. 


e When you install a program, use the Administrator 
account. As an alternative to logging off and then 
logging on as Administrator, you can use the Run As 
command. Right-click the new application’s setup 
program and choose Run As. (In Windows 2000, you 
must hold down Shift when you right-click to make 
the Run As command appear.) Enter the credentials 
for the Administrator account. 


e After you install a program, if it balks when you try to 
run it aS a nonadministrative user, you can set a 
compatibility mode, which attempts to convince the 
ill-mannered program that it’s running in the earlier 
version of Windows for which it was designed. To set a 
compatibility mode, log on as Administrator (or use 
Run As) and follow these steps: 


e In Windows XP: If you run the program 
from a CD or a network drive, open the 
Start menu and choose All Programs, 
Accessories, Program Compatibility 
Wizard. If you’ve installed the program 
on your local hard disk, right-click the 
program’s shortcut, choose Properties, 
and then click the Compatibility tab. 


“In Windows 2000 SP2: If you have 
installed Service Pack 2 or later, a 
Compatibility tab similar to the one 
shown for Windows XP is available. After 
installing SP2 or later, you enable the 
feature by typing regsvr32 
%systemroot% \apppatch \slayerui. 
dll at a command prompt. (You need to 
do this only once.) Thereafter, the dialog 
box that appears when you right-click a 
program’s shortcut and choose 
Properties includes a Compatibility tab 
on which you can select the earlier 
version of Windows to emulate. 


e In Windows 2000 without SP2: If you 
haven’t already installed Support Tools 
and the Application Compatibility tool, 
insert the Windows 2000 Professional 
CD, navigate to its \Support\Tools folder, 
and run Setup. To run Application 
Compatibility, open the Start menu and 
choose Programs, Windows 2000 


Support Tools, Tools, Application 
Compatibility Tool (or simply type 
apcompat at a command prompt). 


e.If setting a compatibility mode doesn’t solve the 
problem, use Run As to run your program. You can 
configure a program’s shortcut so that it always 
prompts you for the credentials of the account you 
want to use; this lets you launch the program in the 
usual way instead of having to right-click and choose 
Run As. The user name will be filled in for you, but 
you'll need to provide its password each time you run 
the program. To configure a shortcut this way, right- 
click the shortcut (this works only with shortcuts to 
programs, not with the programs’ executable files), 
choose Properties, and click the Shortcut tab. In 
Windows XP, click Advanced and then select Run With 
Different Credentials. In Windows 2000, the Run With 
Different Credentials check box is on the Shortcut tab. 


“If these workarounds don’t solve the problem—or if you 
tire of entering yet another password every time you need to runa 
frequently used program—your choices are limited: See whether a 
newer version of the offending program (or a reasonable alternative 
program) is available, or put yourself back in the Administrators 
group. 


Assigning a Password to a User Account 


The last step in configuring user accounts is to assign a logon password to each 
one. The other steps—creating user accounts, disabling unused accounts, and 
assigning accounts to security groups—are often performed for you 
automatically during setup. Windows Setup, however, does not assign 
passwords to most accounts; you must perform this most crucial step on your 
own. 


In this section, we explain how to set a password using each of the account- 
management tools. Before you undertake this task, however, you should think 
about the passwords you want to use. For information about selecting effective 
passwords, see Creating Strong Passwords. 


You can safely set the initial password for a user account using any 
of the account-management tools. But if you’re running Windows 
XP, do not remove or change another user’s password unless the 
user has forgotten the password and has absolutely no other way to 
access the account. (For more information, see Recovering_a Lost 
Password.) If you change or remove another user’s password, that 
user loses all personal certificates and stored passwords for Web 
sites and network resources. Without the personal certificates, the 
user loses access to all of his or her encrypted files and all e-mail 
messages encrypted with the user’s private key. (For information 
about encrypted files, see Chapter 18, “Encrypting Files and 
Folders.”) This feature, new in Windows XP, is designed to prevent 
an administrator from changing someone else’s password to gain 
access to that individual's private information. 


The user whose password is changed can regain access to his or her 

certificates and encrypted information only by changing the 

password back to the old password or by using the Password Reset 

Disk. (For details about resetting passwords, see Using_a Password 
Reset Disk.) 


e Users And Passwords lets you set the password for all local 
accounts except the one with which you're currently logged on. 
(To change your own password, press Ctrl+Alt+Delete and then 
click Change Password.) On the Users tab, select the user name 
and then click Set Password (Windows 2000) or Reset Password 
(Windows XP). 


With Local Users And Groups, you assign a password by clicking 
Users in the console tree, right-clicking a user name, and 
choosing Set Password. 


e To set a password with the Net User command, use the form net 
user username password, where username is the account’s 
user name and password is one of these three values: 


e The password you want to assign 


e * (Windows then prompts you to type the password you want to 
use) 


/random (Windows generates, assigns, and displays a strong 
eight-character password) 


e In User Accounts, you assign a password by clicking the account 
name and then clicking the Create A Password link. A window like 


the one shown in Figure 3-9 appears. User Accounts is the only 
tool that lets you specify a password hint. (The password hint is 
available by clicking the question mark icon that appears after 
you click your name on the Welcome screen.) The availability of 
password hints is another feature that offers added convenience 
at the expense of security; anyone who has access to your 
computer can see your hint if the Welcome screen is displayed. 
Therefore, if you use this feature, be very circumspect about the 
hint you provide! You're better off not using the feature at all. 


Figure 3-9. User Accounts lets you specify a password hint 
when you set the password. 


Don’t use the Comment field to store a password hint. The 
Comment field, which is displayed in all tools except User Accounts, 


can be read by other users on your network as well as other users 
on your computer. 


Securing the Administrator Account 


The Administrator account is a natural target for malicious attackers. First, of 
course, that account holds the keys to the entire kingdom; someone who can 
gain access as Administrator can do just about anything he or she wants with 
your computer. It’s also attractive because nearly every computer has an 
account named Administrator; an intruder needs to determine only the 
password because the user name is already known. 


The most important steps you can take to secure the Administrator account are 
to assign a strong password to it and to change the password frequently. For 
details about strong passwords, see Creating Strong Passwords. 


You can lock down your computer’s Administrator account a little more by 
changing its user name. The name needn't be overly cryptic (like a password, 
for example); it should just be something other than “Administrator,” the name 
that every hacker already knows and expects to find. Follow these steps to 
change the user name: 


1. Open Users And Passwords. (If you are running Windows XP and 
your computer is not joined to a domain, type control 
userpasswords2 at a command prompt.) 


2. On the Users tab, double-click the Administrator account. 


3. In the User Name box, type a new name for the Administrator 
account. 


“Don't use the Administrator account (or whatever you now call it) 
as your everyday account. And if you do need to use the Administrator account 
occasionally for computer maintenance, don’t leave it logged on. 


Create a phony Administrator account 


After you rename the Administrator account, you can create a new 
user account named Administrator. Put this account in the Guests 
security group and give it a strong password. Such an account 
serves two purposes: It’s a decoy that'll keep attackers occupied 
(and won't give up anything of value if they do manage to crack it), 
and it helps you to determine whether someone is trying to break 
into your system. (Check the security log in Event Viewer to see 
whether someone is attempting to log on as Administrator.) 


If you have an alternative administrative account (that is, another user account 
that is a member of the Administrators group), you can disable the built-in 
Administrator account to prevent anyone from using it to log on. 


To disable the Administrator account in Windows XP, double-click the account in 
Local Users And Groups, select Account Is Disabled, and then click OK. 


In Windows 2000, you can’t disable built-in accounts, but you can assign a 
user right that prevents the account from logging on. Start Local Security 
Settings (type secpol.msc at a command prompt), and open Security 
Settings\Local Policies\User Rights Assignment. In the details pane, double- 
click the Deny Logon Locally right. Click Add, select Administrator, click Add, 
and then click OK. 


Securing the Guest Account 


The Guest account provides convenient access for occasional users (Such as a 
baby sitter, customer, or other visitor who wants to check e-mail). Users of the 
Guest account (and members of the Guests group) have access to your 
computer’s programs, to files in the Shared Documents folder, and to files in 
the Guest profile. Although the Guest account offers only limited access, it is 
another means for an intruder to get a toehold into your computer. And 
because ordinarily no password is required to use the account, you must be 
sure that the Guest account doesn’t expose items that a casual user shouldn’t 
be able to view or modify. 


You can further secure the Guest account by making the following changes: 


Turn off or disable the Guest account if you don’t need it. If you only 
occasionally have a visitor who needs guest access, turn on the Guest account 
only when necessary. 


If you are running Windows XP and your computer is not joined to a domain, 
log on as Administrator. In Control Panel, open User Accounts and click Guest. 
Click Turn On The Guest Account to enable Guest access; return to the same 
window and click Turn Off The Guest Account to close this entryway. 


If you are running Windows 2000 or your computer is joined to a domain, use 
Local Users And Groups to control Guest access. Click Users in the console tree 
and then double-click the Guest account in the details pane. In the Guest 
Properties dialog box, select the Account Is Disabled check box to disable 
Guest access; clear the check box to allow access. 


If you have an account lockout policy in place, a specified number of 
incorrect guesses of the Guest password locks out the account, even 
if it is disabled. In Local Users And Groups, open the Guest account 
and check to see whether Account Is Locked Out is selected. If so, 
someone has been trying (unsuccessfully) to log on as Guest. For 
details about account lockouts, see Setting Account Lockout Policies. 


Rename the Guest account. It’s no guarantee of security, but renaming the 
Guest account offers a tiny bit of subterfuge, perhaps leading an attacker away 
to find an easier mark. If the Guest account is enabled, you can rename it with 
Users And Passwords, just as you can rename the Administrator account. (For 
details, see the preceding section, Securing the Administrator Account.) If you 
want to rename the account without first enabling it, you must use Local 
Security Settings: 


1. At a command prompt, type secpol.msc to open Local Security 
Settings. 


2. Open Security Settings\Local Policies\Security Options. 


3. In the details pane, double-click Accounts: Rename Guest 
Account (Windows XP Professional) or Rename Guest Account 
(Windows 2000). 


4. Type the new name for the Guest account. 


Prevent network logon by the Guest account. If you do not use Simple File 
Sharing in Windows XP to share folders or printers with other people on your 
network, you can prevent anyone from using the Guest account to log on to 
your computer over the network. (Simple File Sharing is a Windows XP feature 
that requires the use of the Guest account for network access.) In Local 
Security Settings (Secpol.msc), open Security Settings\Local Policies\User 


Rights Assignment. Be sure that Guest is listed in the Deny Access To This 
Computer From The Network policy. 


For information about Simple File Sharing, see Chapter 5, “Securing 
a Shared Computer.” 


Prevent a Guest user from shutting down the computer. If a guest can 
shut down the computer, he or she not only stops all running processes but 
also can then restart the computer—perhaps booting from a floppy disk or a 
CD into another operating system. To prevent someone logged on as Guest 
from shutting down the system, start Local Security Settings and open Security 
Settings\Local Policies\User Rights Assignment. Be sure that Guest is not listed 
in the Shut Down The System policy. 


Anyone—including guests—can shut down the system from the Welcome 
screen or the Log On To Windows dialog box unless you also set a policy that 
allows only a logged-on user to shut down the computer. In Local Security 
Settings, open Security Settings\Local Policies\Security Options. In the details 
pane, double-click Shutdown: Allow System To Be Shut Down Without Having 
To Log On (Windows XP) or Allow System To Be Shut Down Without Having To 
Log On (Windows 2000) and then select Disabled. 


Of course, with physical access to the computer, a disreputable individual can 
simply press the power switch to circumvent this protection. These settings are 
effective only if your computer’s system unit is securely locked away, separate 
from the keyboard and monitor. 


Prevent a Guest user from viewing event logs. Guests might be able to 
glean information about your computer and your habits by poring through 
event logs. (For more information about event logs, see Viewing the Log of 
Security Events.) To prevent this, start Registry Editor and open 
HKLM\System\CurrentControlSet\Services\Eventlog. Visit each of the three 
subkeys—Application, Security, and System—and be sure that each contains a 
DWORD value named RestrictGuestAccess that is set to 1. 


Using Passwords Effectively 


Do you need to create and use a password for 
Windows logon? After all, it’s certainly easier to 
simply click your name or just press Enter when 
you start your computer. And if your computer is 
in a secure place, such as your home, you might 
be tempted to forgo the protection a password 
provides. 


Before you decide, consider who has physical 
access to your computer. At home, your computer 
might be available only to you and your spouse. 
What about kids? House guests? Do you have any 
household employees such as a babysitter or 
cleaning service? What about repair services or 
other contractors? Each of these people might 
pose a different threat: Family members whom 
you trust completely might be inexperienced 
computer users who can inadvertently delete or 
otherwise destroy your data if they can too easily 
log in as you. Others could conceivably have 
more malicious intentions. 


In a business, it’s more likely that someone who 
shouldn’t do so could obtain access to your 
computer. In addition to business associates and 
employees (who might at some point become 
“disgruntled employees”), janitorial crews (and 
sometimes their accompanying children), security 
guards, delivery persons, clients, vendors, and 
door-to-door framed artwork solicitors could 
reach your computer when you’re not there to 
defend it. In an office environment, you should 
almost certainly use strong passwords for 
Windows logon. 


You might base your decision on the presumed 
value of the information on your computer. In a 


business, of course, you're likely to have financial 
data, product information, proposals, customer 
data, and other important files. The loss of these 
resources, or their discovery by a competitor, 
might prove devastating. At home, perhaps you 
have your family finances on one computer that 
clearly needs to be protected, but you think your 
other computers don’t have anything of “value.” 
Think again: Do they have your photo collection, 
music collection, kitchen plans, or 
correspondence with Aunt Mary? Although these 
types of files might not be of any use to anyone 
else, remember that some vandals enjoy the 
perverse satisfaction of destroying your data. 
Even if you religiously back up your data, you 
might be faced with restoring your system from 
scratch, which could take several hours or more. 


It is especially important to password-protect any 
account that is a member of the Administrators 
group (which is, by default, most accounts you 
set up in Windows XP) because of the 
unrestricted power these accounts wield. If 
someone manages to plant a virus or a Trojan 
horse on your computer while logged on as an 
administrator (by logging on to your computer 
locally, by connecting over a network or the 
Internet, or by tricking you into running an 
executable e-mail attachment, for example), that 
malicious program can do just about anything. 
Two lessons here: Don’t run as an administrator, 
and password-protect all administrator accounts. 


Weak passwords trump strong security. As 
pointed out in “The Ten Immutable Laws of 
Security,” all your other security measures are for 
naught if malicious attackers can get past your 
password defense. (See “The Ten Immutable 
Laws of Security,” reprinted in Appendix A.) Don’t 


let your password selection (or lack thereof) be 
your weakest link. 


Safely use an account with no 
password 


Security enhancements in Windows XP 
mean that blank passwords aren’t 
quite the risk that they are in earlier 
versions of Windows, including 
Windows 2000. In Windows XP, 
accounts with a blank password can 
be used only to log on interactively at 
the computer by using either the 
Welcome screen or the Log On To 
Windows dialog box. You can’t log on 
to a non-password-protected account 
over the network or with Remote 
Desktop, for example. Nor can you 
use the Run As feature to run in the 
context of an account with a blank 
password. (And because Task 
Scheduler uses Run As to launch 
programs, you can’t use a password- 
free account to run scheduled tasks. ) 
These additional restrictions apply 
only to local accounts with no 
password; domain accounts are not 
afforded such protection. (However, 
sound domain policy would prevent 
the creation of a domain account with 
a blank password.) 


Although these enhancements mean 
that if you don’t use a password in 
Windows XP your greatest risk is from 
people who have physical access to 
your computer, you can be sure that 
malicious hackers are working night 
and day to find a way around these 


restrictions. Your safest bet: Don’t rely 
on this protection. Use strong 
passwords—at least for your 
administrator accounts—even with 
Windows XP. 


Troubleshooting 


Windows XP asks for a password, 
but you haven't set one. 


When you upgrade a system to 
Windows XP, the Setup program 
assigns temporary passwords for use 
during setup. Ordinarily, these 
passwords are removed when setup is 
completed. If they’re not removed for 
some reason, you're effectively locked 
out of that account until you 
determine or change the password. 


If you can log on using another 
administrative account, you can 
change the password for the affected 
user account—but be aware of the 
potential problems and data loss that 
changing someone else’s password 
can cause. 


A better way to solve this problem is 

to determine the temporary password 
assigned by Setup, which you can do 
as follows: 


1. Boot into the Recovery 
Console by following 
these steps: 


a. Insert the 
Windows 
CD and 


restart 
your 
computer. 
Follow 
your 
computer’s 
prompts to 
boot from 
the CD. 
(You might 
need to 
adjust 
settings in 
the 
computer’s 
BIOS to 
enable the 
option to 
boot from 
a CD.) 


. Follow the 
setup 
prompts to 
load the 
basic 
Windows 
startup 
files. At 
the 
Welcome 
To Setup 
screen, 
press R to 
start the 
Recovery 
Console. 


c. Enter the 
number of 
the 
Windows 
installation 
you want 
to access 
from the 
Recovery 
Console. 


d. When 
prompted, 
type the 
Administra 
tor 
password. 
If you're 
using the 
Recovery 
Console on 
a system 
running 
Windows 
XP Home 
Edition, 
this 
password 
is blank by 
default, so 
just press 
Enter. 


2. At the command 
prompt, type 
systemroot to change 
to the %SystemRoot% 
folder—the folder where 


Windows XP files are 
located. 


3. Type more 
setupact.log to display 
a file that contains the 
password information 
you need. 


4. Scan the file contents for 
the line that begins 
“Random password for.” 
Press Spacebar to 
display the next screen 
of the file. When you 
find the line, make a 
note of the user name 
and password. 
(Remember that the 
password is case 
sensitive. ) 


5. Reboot into Windows XP 
and log on using the 
user name and password 
information you found. 


If Windows is installed on a FAT32 
volume, you can boot from a Windows 
98 or Windows Me boot floppy instead 
of using Recovery Console. At the 
command prompt, type edit 
%windir%\setupact.log to open 
the file. Use the Edit program’s search 
command to locate the line beginning 
with “Random password for.” 


Creating Strong Passwords 


It’s a fact: Computer users hate passwords. 
Some just leave the password blank or are 
inclined to use an extremely simple (and obvious) 
password, such as password, test, or their user 
name. Others attempt to be a little more secure 
by using a special date or the name of a spouse, 
pet, or favorite sports team. Still others, thinking 
they’re being more secure, use random words 
that occur to them. None of these approaches is 
any match for a sophisticated password-cracking 
program, which can usually correctly ascertain 
such passwords in a matter of minutes. (For 
more information about password cracking, see 
Recovering_a Lost Password. 


The following common practices—widely 
understood and exploited by attackers—must be 
avoided to maintain security: 


e Using a word found in any 
dictionary, including foreign- 
language dictionaries 


e Using the names of people, pets, 
places, sports teams, and so on 


e Writing down your password ona 
note stuck to your monitor or 
placed in your top desk drawer 


You can defend against password-cracking 
programs by using strong passwords. Ultimately, 
such passwords can also be cracked, but it can 
take months instead of hours. In the meantime, 
attackers have moved on to easier targets. And if 
you're following best security practices, you'll 


have changed to a new strong password before 
the current one is cracked. A strong password 


e Contains at least eight characters 


e Contains a mixture of uppercase 
and lowercase letters, numerals, 
and symbols 


e Changes periodically and differs 
significantly from previous 
passwords 


e Does not contain your name, user 
name, or any other words or names 


e Is not shared with anyone 


Unfortunately, such gobbledygook passwords can 
be as difficult to remember as they are to crack. 
You can, however, use some mnemonic tricks to 
create and remember them. 


One effective approach is to distill an easy-to- 
remember phrase into a difficult-to-crack 
password. For example, you could use the phrase 
“Security is everyone’s business” to come up 
with this password: Siel’sbs. History buffs might 
use the title of the World War I marching song 
“It’s a Long, Long Way to Tipperary” to create the 
seemingly random, yet memorable, password 
IaL,LW2T. You get the idea. 


Another trick is to take a memorable phrase (“It 
was the best of times”) and intersperse its initial 
letters with a memorable number (such as your 
anniversary). Using a date of March 18 (3-18) 
yields this password: I3w-t1b8ot. 


Not everyone agrees that your password must be 
an unpronounceable collection of apparently 
random letters, numbers, and symbols. Some 


experts argue that such cryptic passwords are 
less secure than ones made up of several words 
interspersed with numbers and symbols, because 
you're almost certainly going to write down a 
cryptic password. You can find an interesting 
discussion of password security in “Ten Windows 
Password Myths,” an article written for 
SecurityFocus by Mark Burnett 
(http://online.securityfocus.com/infocus/1554/). 


Generate strong passwords 
automatically 


You can use the Net User command to 
randomly generate a strong password 
and assign it to a user account. Ina 
Command Prompt window, type net 
user username /random, where 
username is the account’s user name. 
Similarly, a number of online services 
and stand-alone programs are 
available for randomly generating 
strong passwords of any length you 
specify. You'll find good ones at the 


following locations: 


http://www. winguides.com/security/p 


assword. php 


http://javascript.internet.com/passwor 
ds/password-generator.html 


http://www. segobit.com/apg.htm 
http://www.randpass.com 
http://www. hirtlesoftware.com 
http://www. mark.vcn.com/password/ 


A Web search for “password 
generator” turns up many more. 


Establishing and Enforcing Password 
Policies 


To ensure that you and other users on your 
network don’t leave the password door wide 
open, you should establish (and follow!) some 
effective logon password policies and guidelines. 
As we explain here, you can use security settings 
in Windows to enforce some of these policies; for 
others, user education is the key. 


For best security, we recommend the following: 


e A password should be required 
for all user accounts. At the very 
least, enforce this rule for members 
of the Administrators group. 


e Passwords must be at least 
eight characters long. Shorter 
passwords are more easily cracked. 


Use at least 15 characters for best 
security 


In Windows XP and Windows 2000, 
passwords can be up to 127 
characters long. (In Microsoft Windows 
NT, the limit was 14 characters.) 
Longer passwords become 
exponentially more difficult to crack, 
but they have another seldom- 
documented benefit. The LAN Manager 
(LM) password hash, a relatively 
insecure method of storing passwords 
used in early network operating 
systems, is stored incorrectly in 
Windows XP/2000 if the password is at 
least 15 characters long. An identical 


LM hash value is used for any 
password longer than 14 characters. 
This little-known fact was discovered 
by Urity of Security Friday 
(http://www.securityfriday.com). 


As a result, any password cracker that 
relies on LM hash extraction (as do 
many of those we discuss later in this 
chapter) will not work. Similarly, if an 
attacker coaxes your computer to log 
on using weak LM authentication, your 
password will not be exposed. 
(Windows 2000 falls back to LM 
authentication if Kerberos V5 or NTLM 
are unavailable; for details, see 
Controlling the Logon and 
Authentication Process. ) 


Unfortunately, you can’t use password 
policies (discussed next) to enforce a 
15-character minimum length. You 
can’t specify a minimum length 
greater than 14 characters. 


e Passwords must be complex. 
They should contain characters of 
at least three of these four types: 
uppercase letters, lowercase 
letters, numerals, and symbols. 
This stymies dictionary attacks, 
causing password crackers to rely 
on brute-force methods or other 
techniques. 


Use spaces 


You can use any 
character in a Windows 
logon password, 


including spaces. With 
one or more spaces in a 
password, it’s easier to 
come up with a long yet 
memorable password; 
you might even 
incorporate several 
words separated by 
Spaces and other 
symbols. Don’t use a 
space as the first or last 
character of your 
password, however; 
some applications trim 
spaces from these 
positions. 


e Passwords should not contain 
any form of your name or user 
name. Because so many users 
have passwords based on this weak 
scheme, password-cracking 
programs are trained to try these 
variants very early in the process. 


e Passwords should be changed 
at least every 90 days. The 
attacker’s best friend is time. When 
dictionary attacks don’t work, a 
determined thief can use brute- 
force techniques to try every 
combination of letters, numbers, 
and characters in the hope of 
finding one that works. This task 
can take months, but it will 
eventually pay off if you never 
change your password. 


e Passwords should not be 
written down and stored in 
plain view. Not all attacks come 
from scurrilous characters 
connected to your computer only by 
the Internet. If your password is 
written on a sticky note and stuck 
to your monitor, anyone who walks 
by your computer can copy it. 


Even if you convince everyone who uses your 
computer to use passwords, you can be sure that 
they won’t always follow the secure practices of 
creating strong passwords and changing them 
often. To be sure that these guidelines are 
followed (except for the last one, which relies on 
user education and monitors that repel sticky 
notes), you can set security policies using the 
Local Security Settings console. 


To start Local Security Settings, type secpol.msc 
at a command prompt. To see the policies that 
set password behavior for all accounts, open 
Security Settings\Account Policies\Password 
Policy. Double-click a policy to set its value, as 
shown in Figure 3-10. Table 3-3 explains each 
policy. 

“-Figure 3-10. Local Security Settings lets 

you impose password policies on all local 

user accounts. 


Table 3-3. Password Policies 


Policy Description 


Policy 


Enforce 
password 
history 


Maximum 
password 
age 


Minimum 
password 
age 


Description 


Specifying a number greater 
than O (the maximum is 24) 
causes Windows to remember 
that number of previous 
passwords and forces users to 
pick a password different 
from any of the remembered 
ones. 


Specifying a number greater 
than O (the maximum is 999) 
dictates how many days a 
password remains valid 
before it expires. (To override 
this setting for certain user 
accounts, open the account’s 
properties dialog box in Local 
Users And Groups and select 
the Password Never Expires 
check box.) Selecting 0 
means passwords never 
expire. 


Specifying a number greater 
than O (the maximum is 999) 
lets you set the number of 
days a password must be 
used before a user is allowed 
to change it. Selecting 0 
means that users can change 
passwords as often as they 
like. 


Policy 


Minimum 
password 
length 


Password 
must meet 
complexity 
requirements 


Description 


Specifying a number greater 
than O (the maximum is 14) 
forces passwords to be longer 
than a certain number of 
characters. Specifying 0 
permits users to have no 
password at all. Note: 
Changes to the minimum 
password length setting do 
not apply to current 
passwords. 


Enabling this policy requires 
that new passwords be at 
least six characters long; that 
the passwords contain a mix 
of uppercase letters, 
lowercase letters, numbers, 
and symbols (at least one 
character from three of these 
four classes); and that the 
passwords not contain the 
user name or any part of the 
full name. Note: Enabling 
password complexity does not 
affect current passwords. 


Policy Description 


Store Enabling this policy effectively 
password stores passwords as clear text 
using instead of encrypting them, 
reversible which is much more secure. 


encryption You almost certainly do not 
for all users want to enable this policy, 


in the which is provided only for 
domain compatibility with a few older 
applications. 


If you use password history, you 
should also set a minimum password 
age. Otherwise, users can defeat the 
password history feature by quickly 


changing the password a number of 
times and then returning to the 
current password. 


Recovering a Lost Password 


If you can’t log on to a computer because you 
don’t know the password, you’re not alone. 
Forgetting passwords is one of the most common 
problems users face, especially if they’ve gone to 
the trouble of creating strong ones. If the 
computer is yours, finding that password is called 
“recovering a lost password.” If the computer is 
not yours, the process is called “cracking.” Either 
way, the tools and procedures are much the 
same. If you find yourself in this situation, you 
might need to explore the murky underworld of 
hackers to find the tools and techniques you 
need. 


Traditionally, the best and fastest solution is for 
an administrator to log on to the computer and 
reset your password using any of the available 
account-management tools. This continues to be 
a viable solution for Windows 2000, but it comes 
with a huge caveat in Windows XP: If an 
administrator changes or removes another user’s 
password, that user loses all personal certificates 
and stored passwords for Web sites and network 
resources. Without the personal certificates, the 
user has no access to his or her encrypted files or 
to e-mail messages encrypted with the user’s 
private key. Windows XP deletes the certificates 
and passwords to prevent the administrator who 
makes the password change from gaining access 
to them. 


Troubleshooting 


You can’t access your encrypted 
files because an administrator 
changed your password. 


When an administrator removes or 
changes the password for your local 
account on a computer running 
Windows XP, you no longer have 
access to your encrypted files and e- 
mail messages. That’s because your 
master key, which unlocks your 
personal encryption certificate (which, 
in turn, unlocks your encrypted files), 
is encrypted with a hash of your 
password. When the password 
changes, the master key is no longer 
accessible. To regain access to the 
master key (and, by extension, your 
encrypted files and e-mail messages), 
change your password back to your 
old password. Alternatively, use your 
Password Reset Disk (see the next 
section) to change your password. 


When you change your own password 
(through User Accounts or with your 
Password Reset Disk), Windows uses 
your old password to decrypt the 
master key and then re-encrypts it 
with the new password, so your 
encrypted files and e-mail messages 
remain accessible. 


Microsoft Knowledge Base article 
Q290260 provides more information 
about recovering from this situation. 


Using a Password Reset Disk 


If you use Windows XP—and if you do a little 
advance preparation—recovering from a forgotten 
password is easy (and secure). Windows XP lets 
each user create a Password Reset Disk, a floppy 


disk with which users can log on without knowing 
their password. To create a Password Reset Disk, 
you need to know your current password; 
otherwise, someone could create such a disk at 
your computer when you've stepped away. 


You can make a Password Reset Disk 
only for your local user account. If 
your computer is joined to a domain, 
you can’t create a Password Reset 
Disk as a back door to your domain 


logon password. However, in a domain 
environment a domain administrator 
can safely change your password, and 
you'll still have access to your 
encrypted files. 


To create a Password Reset Disk, follow these 
steps: 


1. Log on using the account for which 
you want to create a Password 
Reset Disk. 


2. In Control Panel, click User 
Accounts. 


3. If you’re logged on as an 
administrator, click your account 
name. 


4. Click Prevent A Forgotten Password 
(in the task pane under Related 
Tasks) to start the Forgotten 
Password Wizard. 


“Because anyone with physical access 
to your computer can use your Password Reset 
Disk to usurp your account, be sure to store the 
disk in a secure location away from the computer. 


(Not too far away, of course. You never know 
when you'll need it.) 


When you attempt to log on and can’t remember 
your password, Windows XP displays a message 
that includes a Use Your Password Reset Disk link 
(if your computer is configured to use the 
Welcome screen) or a Reset button (if you’re not 
using the Welcome screen). Click the link or 
button to launch the Password Reset Wizard. The 
wizard prompts you to insert your Password 
Reset Disk and then asks you to create a new 
password. Log on using your new password and 
return your Password Reset Disk to its safe 
storage place. 


Even if your computer is joined to a 
domain, you might want to create a 
Password Reset Disk for one of your 
computer’s local user accounts. To do 
that, log on as the local user. Press 


Ctrl+Alt+Delete to open the Windows 
Security dialog box. Click Change 
Password, and then click Backup to 
launch the Forgotten Password 
Wizard. 


Using Other Methods for Recovering 
Lost Passwords 


If you don’t have a Password Reset Disk and you 
don’t know the password for an administrator 
account, you can resort to various hacker tricks 
to try to get back into your computer. 


The first one offers an easy method for logging 
on if your computer’s system drive is formatted 
as FAT or FAT32. It relies on the fact that, after 
the logon screen has been displayed for a while 
with no keyboard or mouse activity, Windows 


starts a screen saver named Logon.scr, running 
that program in the context of the System 
account. By substituting a different program for 
Logon.scr, you can use that program without 
logging on. Here are the steps to perform this 
exploit: 


1. Boot from a Windows or MS-DOS 
boot floppy disk. 


2. Enter the following commands to 
change to the 
%SystemRoot%\System32 folder, 
rename Logon.scr, and then make a 
copy of Cmd.exe (the command 
processor that normally appears as 
a Command Prompt window) 
named Logon.scr: 


cd \windows\system32 
ren logon.scr logon.sav 
copy cmd.exe logon.scr 


3. Remove the floppy disk and restart 
your computer. 


4. Wait until the “screen saver” kicks 
in; you'll see a Command Prompt 
window instead. 


5. In the Command Prompt window, 
type net user administrator 
password (where password is the 
password you want to assign to the 
Administrator account). 


6. Log on as Administrator using your 
new password. 


Use NTFS-formatted volumes 


The little trick described here provides 
just one example of the relative 
insecurity of FAT32 vs. NTFS volumes. 
NTFS is the basis of much of the 
security and reliability of Windows 
2000 and Windows XP. If you're 
interested in security, all your hard 
disk partitions should be formatted 
with NTFS. 


If your computer’s boot volume is formatted as 
NTFS, using this trick is considerably more 
difficult. You'll need to purchase a program such 
as NTFSDOS Professional 

(http://www. winternals.com/products/repairandr 
ecovery/ntfsdospro.asp), which lets you read and 
modify files on NTFS volumes while booted into 
MS-DOS. Even with this utility, an intruder will be 
unable to access the contents of encrypted files 
stored on an NTFS volume. 


If you’re still in need of a password-recovery 
solution, the next step is to try a password- 
cracking program. These programs use a variety 
of methods to try to crack the Security Accounts 
Manager (SAM), the database in which password 
information is stored. The programs are most 
effective if you log on using a different user 
account (preferably one with administrator 
privileges), in which case they'll try everything: 
dictionary attacks; extracting password hashes 
from the SAM or, better yet, from memory; and 
brute-force attacks, where every possible 
combination of characters is tried. But some can 
work after booting from a floppy disk, after 
booting into another operating system (if your 
computer has multiple operating systems 
installed), or from another computer on the 
network. 


If you need to recover a lost password (or you 
want to see firsthand how vulnerable your 
computer is to attack), put on your black hat and 
try one or more of the following tools, which give 
an excellent perspective of how hacking tools 
work. 


e Winternals Locksmith 
(http://www. winternals.com/produc 
ts/repairandrecovery/locksmith.asp 
) 


ElcomSoft Advanced NT Security 
Explorer 


(http://www. elcomsoft.com/antexp. 
html) 


e LC3, the latest version of 
LOphtcrack 
(http://www. atstake.com/research/ 
Ic3/) 


Offline NT Password & Registry 
Editor, by Petter Nordahl-Hagen 
(http://home. eunet.no/~pnordahl/ 
ntpasswd/) 


Windows XP / 2000 / NT Key 


(http://www. lostpassword.com/win 
dows-xp-2000-nt.htm) 


John the Ripper 
(http://www. openwall.com/john/) 


Some password-cracking utilities are used by and 
were even created by some rather unsavory 
characters, and they certainly won’t be branded 
with Microsoft’s “Designed for Windows XP” logo! 


We recommend that you try one or more of these 
programs, even if you haven’t forgotten your 


password. The experience is a real eye-opener, 
and it might convince you that strong (very 
strong!) passwords are essential. (An important 
secondary lesson here is that physical security of 
your computer is paramount.) Figure 3-11 shows 
Advanced Security NT Explorer in action. 


“-Figure 3-11. Programs like this one can 
use brute-force methods to try millions of 
combinations in short order. 


You'll probably be shocked and amazed at how 
quickly these programs are able to successfully 
recover passwords. If you can get physical access 
to a computer and somehow log on, you can 
crack almost any password in less than a day. 
Most passwords take only a few hours, and 
weaker ones are revealed in minutes. The 
publisher of LOphtcrack reports that in one large 
company, where strong-password policies were in 
place, LOphtcrack recovered 18 percent of the 
passwords in only 10 minutes and had 90 percent 
of the passwords in 48 hours—running on a lowly 
300 MHz Pentium II. 


For more information about tools and techniques 
for recovering passwords, you'll find some 
excellent information at http://www.password- 
crackers.com/. 


Managing Passwords 


Our discussion so far has focused specifically on 
Windows logon passwords. Indeed, a user’s logon 
password is one of the most important to protect 
because with it comes access to all the user’s 
certificates, network resources, and Internet 
passwords as well as access to a local computer 
and its resources. In other words, if your logon 
password is compromised, a malicious user 
instantly has access to virtually all the same 
resources that are normally yours alone. 


However, passwords (sometimes in combination 
with a user name, sometimes not) are also used 
to control access to all kinds of information: 
network resources, Web sites, online accounts, 
subscription-based data. The list goes on and on. 


The cardinal rules of effective passwords—use a 
strong password and change it frequently—make 
entering and keeping track of your password for 
each account hard enough. But another 
commonly espoused rule—use a different 
password for each account—exponentially 
compounds the difficulty of managing passwords. 
The reason for this rule, of course, is simple: If 
you use the same password for all your accounts 
and it is compromised, the person who has your 
password has access to all your protected 
information. Rather than advocating strict 
adherence to this rule, however, we suggest a 
more manageable three-level approach: 


e Use a secure password for your 
Windows logon and for any Web 
site or account that stores valuable 
financial or personal information. 
This would include bank and 


brokerage accounts, for example. 
These passwords should follow all 
the rules for strong passwords 
detailed earlier in this chapter. Use 
a separate secure password for 
each account. 


e Use a private password for 
accounts on sites where you shop 
or have a paid subscription. This 
password should be relatively 
strong, but because your personal 
financial well-being and privacy are 
not at risk if it’s cracked, you don’t 
need to go overboard. (The worst 
that can happen? Someone sees 
your shopping history or freeloads 
off your paid subscription.) You can 
reuse this password on any site 
that uses a secure server. 


e Use a throwaway password for any 
of the numerous sites that force 
you to register and log on but 
retain no personally identifiable or 
valuable information. Reuse this 
password for all such sites. 


This approach still forces you to keep track of a 
whole collection of passwords. Avoid the 
temptation to write them all down and stick them 
to your monitor! You should also avoid keeping 
the passwords in an unencrypted file of any type. 
If someone manages to find the file on your 
computer (or finds the floppy disk with the file’s 
backup copy), you’re in trouble. 


A no-cost solution is to keep a master list of all 
your passwords in a text file (or other document 
type if you prefer) and encrypt the file. Keep a 


copy of the file in a secure location away from 
your computer. (If you use the built-in Encrypting 
File System to encrypt the file, remember that 
the file is automatically decrypted when you—but 
not another user who finds the file on your hard 
drive—copy the file to a floppy disk. Therefore, if 
you use a floppy disk or other removable medium 
to store the backup copy, keep it under lock and 
key.) A better solution is to use one of the many 
free or low-cost password-management 
programs. For example, with Password Corral, a 
terrific free program from Cygnus Productions, 
you store a list of user name/password 
combinations along with descriptive notes, and it 
scrambles the list using 128-bit encryption. You 
unlock the list with a master password of your 
choosing. (You definitely want a strong one here.) 
As shown in Figure 3-12, this program optionally 
encrypts the on-screen display to prevent 
passersby from stealing your passwords. 


Use Stored User Names And 
Passwords in Windows XP 
Professional 


Windows XP has a feature called 
Stored User Names And Passwords 
that helps to manage logon 
credentials for various resources, such 
as a Shared folder in an untrusted 
domain or a Web site that requires a 
password or certificate. When you 
attempt to connect to such a resource, 
Windows offers the logon credentials 
for that resource as saved in Stored 
User Names And Passwords. Only if 
that fails (either because the 
credentials are invalid or because you 
haven’t previously saved credentials 


for the resource) does Windows 
prompt you to enter your user name 
and password. For this reason, users 
of computers running Windows XP 
face far fewer logon prompts than 
users of Windows 2000, which does 
not have a comparable credentials 
manager. By safely storing as part of a 
user profile the logon credentials for 
other domains, Web sites, and 
workgroup computers, Windows XP 
users approach the goal of a single 
Sign-on experience. 


Note that Stored User Names And 
Passwords offers logon credentials 
only to target computers that use an 
integrated authentication package, 
such as NTLM, Kerberos, or Secure 
Sockets Layer (SSL). Therefore, it 
works with Web sites that use SSL, 
but not with sites that require you to 
enter a credential through other 
means. Stored User Names And 
Passwords also works with Passport. 


You can save credentials in Stored 
User Names And Passwords in either 
of two ways: Select the Remember My 
Password check box in the logon 
dialog box, or enter credentials 
manually into Stored User Names And 
Passwords. 


To manage your stored credentials, 
open Stored User Names And 
Passwords, as follows: If your 
computer is not joined to a domain, in 
Control Panel open User Accounts, 
select your account, and then click 


Manage My Network Passwords (in the 
task pane). If your computer is joined 
to a domain, in Control Panel open 
User Accounts, click the Advanced tab, 
and click Manage Passwords. In the 
Stored User Names And Passwords 
dialog box, you can add, delete, or 
review credentials for various 
resources. 


If you use Windows XP Home Edition, 
you can’t add credentials (you can 
only delete or review credentials that 
Windows has added automatically) or 
store logon credentials for domain 
resources; the primary use of Stored 
User Names And Passwords in Home 
Edition is for Passport credentials. 


“-Figure 3-12. Password Corral optionally 
encrypts the on-screen display of user names 
and passwords so they can't be gleaned by 
passersby. 


A Web search for “password management” turns 
up a number of good programs. Here are two 
that we've tried and recommend: 


e Password Corral, from Cygnus 
Productions 
(http://www. cygnusproductions.co 
m/freeware/pc.asp) 


e Passphrase Keeper, by Boris Zibrat 
(http://www. passphrasekeeper.com 
£) 


Configuring the Logon Process 
for Security 


Logging on to a computer presents a barrier to 
entry for all users, authorized and unauthorized. 
In Chapter 2, we explained how the logon and 
authentication processes work. In this section, we 
show you how to customize the logon process to 
make it as easy as possible for legitimate users 
to log on while still barring users who shouldn’t 
have access. 


For information about the logon 
process, including an introduction to 


the Welcome screen and the classic 
logon, see Controlling the Logon and 
Authentication Process. 


Securing the Welcome Screen 


The Welcome screen is wonderfully convenient; 
users can log on with a single click (and entry of 
a password, if their account requires one). But it 
also exposes user names and password hints to 
anyone who happens by. You might want to 
consider disabling the Welcome screen by 
following these steps: 


1. In Control Panel, open User 
Accounts. 


2. In User Accounts, click Change The 
Way Users Log On Or Off. 


3. Clear the Use The Welcome Screen 
check box and click Apply Options. 


With the Welcome screen disabled, you use the 
“classic” logon, which includes the Welcome To 
Windows and Log On To Windows dialog boxes. 
Note that disabling the Welcome screen also 
disables Fast User Switching, the feature that lets 
you log on to another account without first 
logging off. This feature allows multiple users to 
be logged on simultaneously, leaving each user’s 
programs running in the background. 


If you want to retain the convenience of Fast User 
Switching, you can make the Welcome screen 
more secure in another way: by hiding certain 
user accounts so that they don’t appear on the 
Welcome screen. You can use either of these two 
methods: 


e You can modify the group 
membership of accounts you want 
to hide. Only members of the 


Administrators, Guests, Power 
Users, or Users groups appear on 
the Welcome screen. 


e You can make a change in the 
registry. Use Registry Editor to open 
HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon\ 
SpecialAccounts\UserList. Create a 
new DWORD value, setting its 
name to the user name of the 
account you want to hide and 
leaving its data set to 0. 


To log on to an account that’s not on the 
Welcome screen, press Ctrl+Alt+Delete two times 
to display the Log On To Windows dialog box—the 
same one that appears in the classic logon. 
Accounts that you hide in this manner aren’t 
available with Fast User Switching, however, 
because the trick of pressing Ctrl+Alt+Delete 
twice works only when no one else is logged on. 


Hide your user name from 
passersby 


By default, when you set up a new 
user account in Windows XP, the 
account’s user name and full name are 
the same. Therefore, anyone who sees 
the Welcome screen, which shows 
each account’s full name, Knows 
everyone's user name—the name 
they’d need to log on remotely. You 
can throw up a little smoke screen by 
changing the accounts’ full names; 
that way, the accounts’ first access 
credential (the user name) remains 
hidden from view. You can use any 
account-management tool to change 


the full name, but the easiest is 
probably User Accounts in Control 
Panel. When you change the account 
name in User Accounts, only the full 
name changes; the user name 
remains the same. 


Securing the Classic Logon 


The classic logon, which traces its roots back to 
Windows NT, requires you to press 
Ctrl+Alt+Delete to display the Log On To 
Windows dialog box, where you must enter your 
user name and password. To secure this process, 
follow these steps: 


1. In Windows 2000, open Control 
Panel and double-click Users And 
Passwords. In Windows XP, open 
the Run dialog box and type 
control userpasswords2. 


2. TO ensure that the Ctrl+Alt+Delete 
requirement is in place, click the 
Advanced tab and select the 
Require Users To Press 
Ctri+Alt+Delete check box. 


3°°To disable autologon, click the 
Users tab and select the Users Must 
Enter A User Name And Password 
To Use This Computer check box. 


al 


Secure the classic logon using 
registry entries 


It’s usually best to avoid editing the 
registry directly, particularly when an 
easier, less error-prone, and 
potentially less destructive method 
exists. But you might find it useful to 
change classic logon security through 
the use of a script, batch program, or 
.reg file that makes applying these 
settings a one-click affair. Both 
settings are controlled by values in the 


HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon key. 


To require users to press 
Ctri+Alt+Delete before logging on, set 
the DisableCAD DWORD value to 0, or 
set it to 1 to eliminate this 
requirement. 


To disable autologon, set the 
AutoAdminLogon string value to 0. 
Delete the DefaultPassword string 
value if it exists. 


Depending on your security needs, you might 
want to use some stronger measures to lock 
down the classic logon process even more tightly. 
You can make several changes through the use of 
local security policies. For details, see Chapter 


Security Templates.” 


Controlling Automatic Logons 


The autologon feature lets you bypass the logon 
screens and go directly to your desktop when you 
start your computer. Step 3 of the procedure 
outlined in the preceding section disables 
autologon, and that’s a good security practice in 
most cases. In some situations, however, you 
might want to use autologon. If your computer is 
in a physically secure location and you’re the only 
one who uses it, you might enjoy the 
convenience of autologon. (Even in this situation, 
however, consider whether you want to allow a 
burglar to easily access your computer.) 
Paradoxically, if your computer is used in a public 
display area with virtually no physical security, 
you also might want to use autologon. Why? In 
such a situation, you can force users into a 
particular account rather than leaving them 
gaping at a confusing logon prompt or giving 
them an opportunity to guess passwords for 
other accounts. 


The easiest way to enable autologon is to reverse 
the action described in step 3 of the previous 
procedure: On the Users tab, clear the Users 
Must Enter A User Name And Password To Use 
This Computer check box and click OK. Windows 
then asks for the user name and password of the 
account to be automatically logged on each time 
the computer starts. 


Enabling autologon in this way makes several 
modifications to the registry’s 
HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon key: 


e It creates a string value named 
DefaultUserName and sets it to the 


user name you provided. 


It creates a string value named 
DefaultDomainName and sets it to 
the domain name of the specified 
user account (if the account is not a 
local account). 


e It adds a string value named 
AutoAdminLogon and sets it to 1. 
(A value of 0 disables autologon, 
but don’t use this value alone to 
disable the feature. The 
DefaultPassword value should also 
be deleted, which happens 
automatically if you use Users And 
Passwords to disable autologon. ) 


Numerous books, articles, and Web 
pages—including many published by 
Microsoft—wrongly suggest that 
configuring autologon creates a string 
value named DefaultPassword and 
sets it to the password you provided. 
These sources go on to say that the 
password is stored in plain text and 
that anyone with registry access can 
read it. While it’s true that you can 
use a DefaultPassword value (and 
indeed, if you set up autologon by 
manually editing the registry, you 
must use this value), the good news is 
that if you use Users And Passwords 
(User Accounts in Windows XP) to 
configure autologon, the password is 
stored in encrypted form in 
HKLM\Security\Policy\Secrets\DefaultP 
assword, a registry key that can’t be 
viewed by any ordinary user accounts, 


including administrator accounts. 
Therefore, you should always use the 
Users Must Enter A User Name And 
Password To Use This Computer check 
box to set up autologon. 


You can make other settings in the same registry 
key that further control the autologon process: 


e Ordinarily, autologon works only for 
the first logon after you start the 
computer. After that logon, a user 
could log off and return to the 
logon screen. You can prevent that 
from happening by adding a string 
value named ForceAutoLogon. Set 
it to 1, and the system 
automatically logs on to the 
specified account after each logoff. 


By default, you can prevent 
autologon by holding down the 
Shift key during startup. The 
normal logon dialog box then 
appears, allowing you to log on to 
any account. If you want to ignore 
the Shift key override of autologon, 
add a string value named 
IgnoreShiftOverride and set it to 1. 


e You can limit the number of times 
that autologon will work. This 
setting is normally made only by 
automated setup programs, but you 
might think of a reason to allow 
autologon a fixed number of times 
before disabling the feature. To do 
that, add a DWORD value named 
AutoLogonCount and set it to the 
number of times you want 


autologon to run. Each time the 
computer is restarted and 
autologon runs, the 
AutoLogonCount value is 
decremented by 1. When the value 
reaches 0, Windows changes the 
value of AutoAdminLogon to O (to 
disable autologon) and removes the 
AutoLogonCount value. 


Be sure to leave yourself a back door. 
If you set up autologon and then lock 
it down with the additional registry 
settings mentioned here, you won't be 
able to log on using your (presumably 
more powerful) user account. As long 
as you can get to Registry Editor or 
Users And Passwords using the Run As 
capability, you’re fine. But if you go to 
the extremes of also restricting access 
to Control Panel, the Run command, 
Command Prompt windows, and so on 
for the account that logs on 
automatically and repeatedly—you 
might find that your setup is too 
secure! 


Another way to configure autologon is 
with Tweak UI, a free program you can 
download from Microsoft. (The 
Windows XP version is available at 
http://www. microsoft.com/windowsxp 
Zpro/downloads/powertoys.asp; for 
the Windows 2000 version, go to 
http://www. microsoft.com/ntworkstati 
on/downloads/PowerToys/Networking/ 
NTTweakUl.asp.) Before you embrace 
this method, however, you should be 
aware of one security vulnerability: 


Although Tweak UI stores the logon 
password in encrypted form in an 
inaccessible part of the registry, the 
password is available in masked form 
in the Tweak UI dialog box. An 
attacker with iOpus Password 
Recovery XP 
(http://www.iopus.com/password rec 
overy.htm) or a similar tool for 
revealing masked passwords can view 
the password. 


Displaying a Welcome Message—or a 
Warning 


Silly as it might sound, in some areas you might 
be required by law to warn people that efforts to 
log on by unauthorized users are illegal. Windows 
lets you place that warning right up front in a 
dialog box that appears before the Log On To 
Windows dialog box is displayed. (See Figure 3- 
13 for an example.) Whether required or not, it 
might be useful to display a message that warns 
users about the consequences of misusing 
company information or notifies them that their 
actions might be monitored. (You might also use 
this feature to offer a friendly welcome message! ) 


“-Figure 3-13. A user must click OK in this 
dialog box before the logon dialog box is 
displayed. 


To create such a message, follow these steps: 


1. At a command prompt, type 
secpol.msc to open Local Security 
Settings. 


2. Open Security Settings\Local 
Policies\Security Options. 


3. In the details pane, double-click 
Message Title For Users Attempting 
To Log On. (In Windows XP, the 
names of this policy and the one in 
step 5 are preceded by “Interactive 
Logon.”) 


4. Type the text that should appear in 
the title bar of the legal notice and 
then click OK. 


5. Double-click Message Text For 
Users Attempting To Log On. 


6. Type the text that should appear in 
the main part of the legal notice 
and then click OK. 


The legal notice dialog box appears 


only if you provide both message text 
and message title. 


As an alternative to using Local Security Settings, 
you can make these changes by modifying two 
string values in the registry’s 
HKLM\Software\Microsoft\Windows NT\ 
CurrentVersion\Winlogon key. Enter the title bar 
text as data for the LegalNoticeCaption value. 
Enter the body text as data for the 
LegalNoticeText value. 


As shown in Figure 3-14, you can also add text to 
the Log On To Windows dialog box through the 
use of two string values in 
HKLM\Software\Microsoft\Windows NT\ 
CurrentVersion\Winlogon: 


e The Welcome value appends text to 
the “Log On To Windows” message 
in the title bar. (For reasons 
unknown, the Welcome value does 
not add text to the logon dialog box 
in Windows XP.) The content of the 
Welcome value is also displayed in 
the title bar of the Windows 
Security dialog box—the one that 
appears when you press 
Ctrl+Alt+Delete while logged on to 
a system that does not have the 
Welcome screen enabled. 


e The LogonPrompt value lets you 
add a message (or legalese text) 
above the User Name and Password 
boxes. 


“-Figure 3-14. Some simple 
registry edits let you customize 
the logon dialog box. 


Setting Up Windows 2000 for 
Secure Logon 


When you set up Windows 2000 on a 
new computer (and do not join a 
domain during setup), the Network 
Identification Wizard runs the first 
time you start your computer after 
setup is complete. Its default choice, 
as shown in Figure 3-15, is to 
configure autologon to bypass the 
requirements for pressing 
Ctrl+Alt+Delete and entering a 
password. It suggests the user name 
you entered as the registered user, for 
which the wizard creates a user 
account that is a member of the local 
Administrators group. It assigns the 
password you enter two times in this 
dialog box; if you don’t enter a 
password, the account’s password is 
blank. If you simply click Next without 
making any changes—a common habit 
when zipping through a wizard 
(especially when you’re anxious to 
begin using a new machine)—Windows 
2000 is configured to log on 
automatically at startup to an account 
with full administrative privileges and 
no password. 


“-Figure 3-15. The default choice 
in the Network Identification 
Wizard produces an insecure 
logon. 


If your computer is already set up this 
way, you'll probably want to change 
the account’s password and group 
membership, as well as the 
computer’s autologon behavior, as 
described elsewhere in this section. 
When you set up your next computer, 
you can avoid these extra hassles by 
selecting Users Must Enter A User 
Name And Password To Use This 
Computer when this wizard runs. At 
the very least, be sure to enter a 
strong password, even if you plan to 
use autologon. 


Setting Account Lockout Policies 


Account lockout policies allow you to lock out an 
account after an incorrect password has been 
entered too many times. Setting up this policy 
can be an effective defense against password- 
cracking attempts in which a user (or, more likely, 
a program) tries repeatedly to log on using 
different passwords. 


When an account is locked out because too many 
wrong passwords have been entered, an 
administrator can unlock the account with Local 
Users And Groups: Double-click the user account 
and clear the Account Is Locked Out check box. 
At this point, of course, you should be on alert 
(unless you know that an authorized user simply 
forgot the password), for your system might be 
under attack. When you unlock the account, you 
should also select the User Must Change 
Password At Next Logon check box, thereby 
dealing a setback to the would-be intruder. 


You set account lockout policies with the Local 
Security Settings console. To start Local Security 
Settings, open Control Panel and then open 
Administrative Tools, Local Security Policy, or 
simply type secpol.msc at a command prompt. 
To view or modify the account lockout policies, 
open Security Settings\Account Policies\Account 
Lockout Policy. Double-click a policy to set its 
value. Table 3-4 explains each policy. 


Table 3-4. Account Lockout Policies 


Policy Description 


Policy 


Account 
lockout 
duration 


Account 
lockout 
threshold 


Reset 
account 
lockout 
counter 
after 


Description 


Setting a number greater than 0 
(the maximum is 99,999 
minutes, or about 69 days) 
specifies how long the user is to 
be locked out. After the specified 
time elapses, the account is 
unlocked. If you specify O (the 
most secure setting), the account 
is locked out forever—or until an 
administrator unlocks the 
account, whichever comes first. 


Specifying a number greater than 
O (the maximum is 999) prevents 
a user from logging on after he or 
she enters a specified number of 
incorrect passwords within a 
specified time interval. A setting 
of 3 lets an authorized user make 
a few inadvertent mistakes but 
doesn’t give an intruder many 
chances to guess correctly. 


Use this policy to set the time 
interval (up to 99,999 minutes) 
during which the specified 
number of incorrect password 
entries locks out the user. After 
this period elapses (from the time 
of the first incorrect entry), the 
counter resets to O and starts 
counting again. A setting of 30 
minutes provides good security 
against typical password-cracking 
attacks. 


Adding Another Layer of Protection 
with Syskey 


Syskey is a feature of Windows 2000 and 
Windows XP that uses a startup key to encrypt 
the Security Accounts Manager, the repository of 
password information. By default, the startup key 
is a machine-generated random key that is stored 
on the local computer. 


For more information about Syskey 


protection, see Safeguarding the 
Security Accounts Manager. 


Because Syskey protection makes it pointless for 
attackers to boot into another operating system 
and steal a copy of the SAM or steal a backup 
copy (common exploits before the advent of 
Syskey), the default setup provides excellent 
protection for the password information in the 
registry. But attackers with physical access to 
your computer, high-powered password-cracking 
tools, and plenty of time could get your 
passwords. If that’s a possibility in your situation, 
you might consider adding another layer of 
protection. Using Syskey, you can configure your 
system so that the startup key is not stored on 
the computer. 


With this extra protection in place, an additional 
prompt appears before the logon sequence 
begins, as shown in Figure 3-16. You'll need to 
insert a floppy disk that contains the startup key 
or enter the startup key password (depending on 
which Syskey option you select) to unlock the 
password database and display the logon 
screens. Without the floppy disk or startup key 
password, no attacker has successfully retrieved 


user logon passwords from a computer that has 
been protected in this way. 


“-Figure 3-16. Using Syskey, you can set up 
your computer to require a password before 
you can see the usual logon screen. 


Bear in mind that this added startup 
requirement provides no additional 
protection once the computer is up 
and running. That is, if an attacker 
can reach your unattended computer 
while an administrator account is 
logged on, your passwords can be 
stolen. An attacker can steal the 
LSASS cache of hashed passwords and 
copy it to a floppy disk in seconds. 
Again, it comes down to physical 
security: Unless your computer is 
always guarded by a person or a 
locked door, be sure to log off when 
you leave the computer and ensure 
that all user accounts are password 
protected. 


To install this additional protection, follow these 
steps: 


1. At a command prompt, type 
syskey. You'll see the following 
dialog box: 


If the Encryption 
Disabled option does not 
appear dimmed, as 
shown here, you've got 


a problem. Someone has 
managed to disable 
Syskey encryption and 
probably has full access 
to your system. 


2. In the dialog box, click Update. 
(Because Syskey protection is 
always enabled in Windows 2000 
and Windows XP, the OK and Cancel 
buttons are effectively equivalent; 
both close the dialog box without 
making any changes.) 


3%In the Startup Key dialog box, 
choose one of the three options: 


e Password Startup. 
Enter a password, 
which you'll need to 
unlock the startup 
key each time you 
start the computer. 
For the best 
protection, the 
password should be 
at least 12 characters 
long. 


e Store Startup Key 
On Floppy Disk. 
Syskey generates a 
new startup key and 
stores it on a floppy 
disk. You must insert 
the floppy disk when 
prompted each time 
you start the 
computer. 


e Store Startup Key 
Locally. This is the 
default setting. By 
storing the startup 
key on the local hard 
disk, Windows can 


access it during 
startup without 
further intervention 
on your part. 


4. Click OK. If you’re changing from 
one of the first two options, provide 
the existing startup key password 
or floppy disk when prompted. 


This protection is so effective that if 
you forget the password or lose the 
floppy disk with the startup key, you 
won't be able to start your computer. 
Write down the password and keep it 
in a safe location, away from the 
computer. Make several backup copies 
of the floppy disk and store them in 
different locations. If you don’t have 
the password or floppy disk when you 
need it, the only solution is to use an 
Emergency Repair Disk (Windows 
2000) or an Automated System 
Recovery Disk (Windows XP) to 
restore your registry from a backup 
created before you enabled startup 
key protection. Doing so, of course, 
obliterates changes that have been 
made in the meantime. 


For more information about Syskey, 
see Knowledge Base article Q143475. 


Chapter 4 


Installing and Using Digital 
Certificates 


Digital certificates (Sometimes called digital IDs, 
public key certificates, or, more simply, 
certificates) are an important component of 
security in Microsoft Windows. Although they’re 
widely used, they're seldom seen and little 
understood. In short, a certificate is a record 
that’s used for authentication (that is, for proving 
one’s identity), encryption (scrambling the 
content of sensitive documents to keep out 
prying eyes), or both. 


Certificates are a basic component of the public 
key infrastructure (PKI). As such, a certificate 
securely links the value of a public key to the 
user, computer, or service that holds the 
corresponding private key. Certificates are issued 
by another integral PKI component, a certification 
authority (CA). The CA verifies the identity of 
each party in an electronic transaction before 
issuing a certificate. 


In this chapter, we help make sense of these 
concepts, explain how to obtain certificates, and 
describe the tools available in Windows for 
managing your certificates. In later chapters, we 
explain how to use certificates for specific 
security-related purposes. Here’s what you can 
look forward to: 


e Chapter 8, “Making Internet 
Explorer Safer,” explains how 
certificates are used to establish 
encrypted communications with 
secure Web sites and how to work 


with certificates for Activex 
controls. 


Chapter 10, “Keeping Your E-Mail 
Private,” describes how to use 
certificates to digitally sign and 
encrypt your important messages. 


Chapter 17, “Securing Ports and 
Protocols,” explains the use of 
IPSec (which stands for Internet 
Protocol security) for secure 
network communications. 


Chapter 18, “Encrypting Files and 
Folders,” covers the role of 
certificates in the Encrypting File 
System. 


What Are Digital Certificates? 


Digital certificates form the basis of two 
important security features: authentication and 
encryption. 


Authentication is the means by which the 
identities of individuals, organizations, and 
devices are validated. For example, if you receive 
a digitally signed e-mail message or download a 
digitally signed program, the signature assures 
you that the identity claimed by the sender or the 
originating organization is genuine. 


Encryption hides information from people who are 
not authorized to see it. Encryption uses keys to 
translate data from its base format to another, 
unintelligible format. The only way to make the 
data intelligible again is to translate it back—and 
of course it takes a key to translate the data back 
to its base format. 


The most efficient and longest-used encryption 
methods, called symmetric encryption, use the 
same key for both encrypting and decrypting 
(that is, the same key at both ends of the 
process). Because both the sender and the 
recipient need the key, transmitting the key from 
the sender to the recipient can be a significant 
problem in itself. 


Another method of encryption, called asymmetric 
encryption, uses different keys to encrypt and 
decrypt data. The asymmetric encryption method 
commonly used today is called public key 
cryptography. Public key cryptography uses a 
private key, known only to a single entity, and a 
public key, which is made available by the owner 
of the private key to anyone who needs it. Data 


encrypted with a public key can be decrypted 
only with its corresponding private key. 


For example, say that you want to send a private 
message to Pat. If you use Pat’s public key to 
encrypt the message, only Pat can decrypt it, 
because she is the only one with the 
corresponding private key. How do you get Pat’s 
public key? She sends it to you, of course. But 
how do you know the key is really from Pat and 
not from someone pretending to be Pat? The 
answer to this question goes back to the other 
primary role of certificates: authentication. The 
message in which Pat sends her public key is 
signed with the private key of a third party— 
trusted by both you and Pat—that verified Pat’s 
identity. Because the trusted third party is the 
only one who could sign a message with its own 
private key, you’re assured that the message 
from Pat containing her public key actually came 
from Pat. 


It’s essential to keep your private keys 
secure. Any unauthorized access to 


them compromises your entire 
security scheme. 


Digital certificates provide the storage and 
transport mechanism for public keys. The person, 
organization, computer, or service to whom a 
certificate is issued (the subject) can distribute 
the public key by sending a certificate. 
Certificates contain several pieces of information, 
including the following: 


e The subject’s public key 


e The subject’s identity, such as a 
name or an e-mail address 


e The certificate’s valid dates 


e The identity of the CA that issued 
the certificate 


e The digital signature of the CA 


Certificate Purposes 


We’ve mentioned the use of certificates for 
signing and encrypting e-mail messages, but you 
can employ public key cryptography in many 
more situations. The public key infrastructure, in 
fact, is used to create a complete system of 
security and authentication that can be tracked 
back to a trusted source. 


Each certificate has specified purposes, which are 
listed within the certificate. The certificate can be 
used only for these allowed purposes. A 
certificate can have more than one purpose. The 
General tab of the Certificate dialog box (see 
Figure 4-1 for an example) lists the certificate’s 
purposes. Table 4-1 describes the most common 
certificate purposes. As Figure 4-2 shows, the 
Certificates snap-in for Microsoft Management 
Console (MMC) can organize certificates by 
purpose. 


“-Figure 4-1. A certificate can have several 
purposes, but it can be used only for the 
purposes specified on the General tab. 


Table 4-1. Common Certificate Purposes 


Purpose Description 


Client Used by clients (such as 
Authentication Web users) to authenticate 
themselves to servers 


Purpose Description 


Server Used by servers (for 

Authentication example, secure Web 
servers using Secure 
Sockets Layer, or SSL) to 
authenticate themselves to 
clients 


Code Signing Used by software producers 
to authenticate software 
(such as ActiveX controls) to 
users 


Secure E-mail Used to sign and encrypt e- 
mail messages using 
Secure/Multipurpose 
Internet Mail Extensions 


(S/MIME) 
Trust List Used to create certificate 
Signing trust lists 


Encrypting Used with the symmetric 
File System key for encrypting and 
decrypting files 


File Recovery Used with the symmetric 
key for recovering encrypted 
files 


“-Figure 4-2. To see a complete list of 
certificate purposes, in the Certificates snap- 
in choose View, Options and select Certificate 
Purpose. 


Certificate Stores 


The storage location for the certificates on your 
computer is called, logically enough, a certificate 
store. Within the certificate store, certificates can 
be grouped according to the role they play within 
the PKI or in the specific application that uses 
them. Table 4-2 describes the logical stores that 
contain the most commonly used certificates. 
Some applications that use certificates create a 
logical group. Microsoft NetMeeting is an 
example. 


Table 4-2. Logical Certificate Stores 


Store Description 


Personal Any certificates assigned to 
you and associated with your 
private keys. 


Trusted Root Self-signed certificates of CAs 

Certification that are implicitly trusted. 

Authorities This store includes certificates 
issued by third-party CAs, by 
Microsoft, and by your 
organization (if it has a 
domain-based certificate 
server). 


Enterprise Any certificate trust lists you 

Trust create. Certificate trust lists 
let you trust self-assigned 
root certificates from other 
organizations. 


Store 


Intermediate 
Certification 
Authorities 


Trusted 
Publishers 


Untrusted 
Certificates 


Third-Party 
Root 
Certification 
Authorities 


Trusted 
People 


Other People 


Description 


Certificates issued to other 
CAs. 


Certificates issued to 
publishers you've designated 
as always trustworthy or that 
are trusted by software 
restriction policies. 


Certificates that you explicitly 
do not trust. Certificates 
arrive here if you select Do 
Not Trust This Certificate in a 
dialog box displayed by your 
e-mail program or Web 
browser. 


A subset of Trusted Root 
Certification Authorities that 
includes trusted root 
certificates from CAs other 
than Microsoft and your 
organization. 


Certificates issued to people 
that are explicitly trusted. 


Certificates issued to people 
with whom you share 
encrypted documents. 


Store Description 


Certificate Certificate requests that are 
Enrollment pending. 
Requests 


Certification Authorities 


A certification authority is an integral part of the 
PKI. The essential role of a CA is to establish and 
vouch for the authenticity of public keys 
belonging to users or other certification 
authorities. To perform this role, a CA issues 
certificates signed with its own private key, 
manages certificate serial numbers, and, when 
necessary, revokes certificates. 


For a certificate to be considered valid, both 
parties in an electronic transaction must trust the 
CA. Before granting a certificate to an individual 
or organization, the CA is responsible for 
verifying the identity of the entity that is applying 
for the certificate. After the requester’s identity is 
verified, the CA assigns the requester both a 
public key and a private key and then supplies a 
digital certificate signed with the CA's private key. 
The validity of the certificate, then, is only as 
good as the credibility and level of trust 
maintained by the CA. 


Certificate authentication works within a 
hierarchy of trust. At some point, you trust the 
CAs you trust because you choose to trust them. 
Unless you remove them, the certificates for all 
the CAs installed by default in your Trusted Root 
Certification Authorities store are trusted without 
question. Trusted root authority certificates are 
self-signed—that is, they authenticate 
themselves. By contrast, the certificates of an 
intermediate CA are signed not by that CA itself 
but by another CA. If the other CA is a trusted 
root authority, the first CA is trusted by inference. 
You might have a whole chain of CA 
authentication—called the certification path— 
ending with a trusted root authority. The 


Certificate dialog box contains a tab called 
Certification Path that displays this chain of 
authentication back to a trusted root authority, as 
shown in Figure 4-3. A white paper available at 
http://www. microsoft.com/technet/prodtechnol/w 


inxppro/support/tshtcrl.asp offers much more 
detail about certification paths and chain building. 


“-Figure 4-3. Each certificate has a 
certification path, a chain of authentication 
back to a trusted root authority. 


By contrast, Figure 4-4 shows a certificate that is 
not trusted because it was not issued by a 
trusted root authority. You can choose to trust 
such certificates, but you should do so only if 
you’re certain of the source’s integrity. In the 
example shown, the certificate purportedly held 
by the U.S. Navy was granted by an issuer 
claiming to be the U.S. Department of Defense. 
This certificate happens to be legitimate, but 
without the imprimatur of a trusted certification 
authority, you can’t really tell. 


“-Figure 4-4, Although this certificate is 
otherwise valid, as indicated in the Certificate 
Status box, it is not trusted because it was 
not issued by a trusted certification 

authority. 


When You Can't Trust a 
Certification Authority 


Through a breakdown in its 
safeguards, even a trusted 
certification authority can issue a 
certificate to someone it shouldn't. In 
a well-publicized incident, VeriSign 
announced in March 2001 that it had 
issued two certificates to an individual 
who had fraudulently claimed to be a 


Microsoft employee. The certificates 
were promptly revoked (in fact, you 
can see them in the Untrusted 
Certificates store if you have Windows 
XP), and potential damage by 
someone sending out malicious code 
purportedly signed by Microsoft was 
avoided. 


If you have Windows 2000 (or earlier 
versions of Windows) and you haven't 
applied the appropriate update to 
revoke these certificates, you might 
be at risk. For information about the 
erroneously issued certificates, see 
Microsoft Knowledge Base article 
Q293817. This article explains how to 
identify the certificates and also 
includes links to Microsoft Security 
Bulletin MSO1-017, which provides 
complete details, and to Q293811, 
which offers a tool that revokes the 
certificates’ trusted status. 


Windows XP includes a feature called 
Update Root Certificates. If this 
feature is enabled (the default 
setting), whenever you are presented 
with a certificate issued by an 
untrusted root authority, Windows 
contacts the Windows Update Web site 
to see whether Microsoft has added 
the CA to its list of trusted authorities. 
If the CA has been added to the 
Microsoft list of trusted authorities, 
Windows adds its certificate to your 
Trusted Root Certification Authorities 
store. 


To enable or disable this feature, open 
Add Or Remove Programs in Control 
Panel and then click Add/Remove 
Windows Components. In the 
Components list, select or clear the 
last check box, Update Root 
Certificates. 


Obtaining a Personal 
Certificate 


A quick journey to the Certificates snap-in or the 
Certificates dialog box reveals that you already 
have lots of certificates installed on your 
computer. (For details about these two tools, see 
Managing_Your Certificates.) Microsoft Internet 
Explorer comes with a whole passel of 
certificates, mostly for trusted CAs. Internet 
Explorer uses these certificates when you begin 
to download a program that has been digitally 
signed. Whenever you download a signed 
program, therefore, you’re using certificates, 
whether you know it or not. Also, when you 
connect to a secure Web site (the lock icon 
appears on the Internet Explorer status bar), 
you're using a certificate to create the encrypted 
link. 


For more information about 
downloading signed programs and 


using secure Web sites, see Chapter 8, 
“Making Internet Explorer Safer.” 


For several good reasons, however, you might 
want to go a little further and begin to actively 
use certificates. Although only a few people today 
digitally sign their e-mail messages, the number 
is increasing. If you have reason to be cautious 
about who reads your e-mail, you'll want to 
acquire public keys from your clandestine 
recipients. Or, if you want to receive secure e- 
mail from someone, you need to understand how 
to give the sender your public key. If you publish 
software on the Internet, you also need to deal 
with certificates. 


The fact that you're reading this book 
indicates that you take computer 
security seriously. Therefore, you 
probably do have situations in which 
the authentication and encryption 
services provided by certificates are 
essential. But don’t go overboard by 
signing and encrypting every 
document and message you handle. 
Along with the benefits of certificates 
come certain headaches; for example, 
a message with an expired certificate 


might not be accessible, and some 
mailing lists choke on digitally signed 
messages. Use these features only 
when they're needed. 


You don’t need to obtain a certificate 
to begin using the Encrypting File 
System for encrypting files on your 
computer. Windows automatically 
creates a self-signed certificate when 
you begin using encryption. For more 
information, see Chapter 18, 
“Encrypting Files and Folders.” 


Certification authorities grant or deny a certificate 
when a requester applies for one. It is the CA's 
responsibility to confirm the identity of the 
requester. Each CA applies its own set of 
requirements to requests. The requirements 
might depend on the purpose of the certificate. It 
is relatively easy to get a certificate for signing e- 
mail messages and harder to get one for signing 
software. 


You can request a certificate from one of the 
many certification authorities available on the 
Internet. Microsoft offers a list of CAs at 
http://office.microsoft.com/assistance/2000/cert 


page.aspx. Most of these services charge a fee 
for granting certificates, and each has its own 
method of verifying your identity. The fees and 
verification process might also vary based on the 
type of certificate you request. If you are granted 
a certificate from a CA whose certificates are 
included among the trusted root certificates by 
default, you can be fairly sure that your 
certificate will be accepted by any Internet 
Explorer user and most likely by anyone else. 


Several third-party CAs are available to provide 
personal certificates to you for various purposes. 
You can find more information about their 
offerings at the following Web sites: 


e GlobalSign 
(http://www. globalsign.net/digital 
certificate/) 


e Thawte 
(http://www. thawte. com/certs/pers 
onal/contents. htm!) 

e VeriSign, Inc. 
(http://digitalid. verisign.com) 


To request a certificate from one of these CAs, go 
to its site and follow the instructions. When your 
certificate is approved, you download it and 
import it into your certificate store. Some sites 
perform the import as part of the download; 
other sites download a file that you must then 
manually import. (For details about importing, 
see Importing Certificates. ) 


Just How Does a CA Know Who 
You Are? 


The hierarchy of certificate 
authentication and trust rests on the 


certification authorities. It is their job 
to verify the identity of everyone who 
requests a certificate. But how do they 
do that? Policies among CAs differ, but 
we can look at one example. Thawte is 
a CA that provides, among other 
things, free personal certificates. 
These certificates have two possible 
purposes: e-mail signing or 
encryption, and personal 

identification. The procedure Thawte 
uses to verify your identity depends 
on which purpose you specify in your 
request. 


If you request a certificate for e-mail 
signing or encryption, the verification 
is quite simple. Thawte sends an e- 
mail message to the address listed in 
the request. The message contains the 
URL of a reply page at Thawte’s Web 
site. To open the page, you must sign 
on with your Thawte user name and 
password. Thawte interprets your 
opening that page as verification of 
the e-mail address, and the certificate 
is granted. This certificate contains 
your e-mail address but not your 
name. Then, whenever anyone 
receives an e-mail message signed 
with this certificate, he or she can be 
assured that you actually own the 
source e-mail account (even if the 
recipient has no assurance that you 
are who you Say you are). 


If you request a certificate for 
personal identification (that is, a 
certificate containing your name), the 


verification process is a bit more 
complicated. Thawte has created a 
“Web of Trust”—essentially a 
worldwide group of notaries who verify 
your identity face to face. You must 
personally visit at least two notaries 
and present some valid identification, 
such as a driver’s license or passport. 
If the notary is satisfied with your 
documents, he or she can award you 
between 10 and 35 points. When you 
receive 50 points, your identity is 
validated. In this system, you must 
identify yourself to at least two and as 
many as five people before Thawte 
validates your identity. Then Thawte 
approves your request for a certificate 
containing your name. 


If you receive an e-mail message 
signed with a certificate that itself is 
signed by Thawte, and the certificate 
contains the name of a person, you 
know that person had to go through 
the steps just described to get that 
certificate. If the certificate is signed 
by Thawte but does not include a 
person’s name, you know that the 
person confirmed only his or her e- 
mail account with Thawte. 


If your computer is part of an Active Directory 
domain, you can use your organization's 
certification authority to obtain a certificate. 
Microsoft Windows 2000 Server and Windows 
.NET Server can offer certificate-granting services 
to computers in the domain or network. Microsoft 
Certificate Services is a CA with two means of 
access: 


e Certificate Services can be run as 
an enterprise service. In this case, 
it is available to all domain 
computers and grants certificates 
based on the requester’s 
permissions in Active Directory. The 
Certificate Request Wizard works 
only with enterprise-wide 
Certificate Services. 


You use the Certificates snap-in to 
request a new certificate from 
enterprise Certificate Services on 
your domain. If you have enterprise 
Certificate Services, select the 
Certificates - Current User\Personal 
folder and choose Action, All Tasks, 
Request New Certificate. Follow the 
wizard’s instructions to request a 
certificate. 


Certificate Services can also be run 
in stand-alone mode. In this case, 
Certificate Services is available 
through an HTML interface, as 
shown in Figure 4-5. The stand- 
alone service does not 
automatically grant or deny 
requests. Requests are placed ina 
queue, and an administrator 
manually reviews them and decides 
whether to grant them. After you 
submit a request for a certificate 
from stand-alone Certificate 
Services on your network, you must 
return to the service to find 
whether your request has been 
granted. The address of the stand- 
alone service is 


http://servername/certsrv, where 
servername is the name of the 
computer running Certificate 
Services. 


You might think that an unscrupulous 
system administrator could use 
Certificate Services to create falsified 
certificates. In fact, he or she could. 
But remember that other users won't 


trust this certification authority. 
(Because it’s not included in your list 
of trusted CAs, Windows displays a 
warning message if such a certificate 
is sent to you. 


“-Figure 4-5. Certificate Services can issue 
certificates to domain users through an HTML 
interface. 


A discussion of installing and 
configuring Certificate Services ona 
domain controller is beyond the scope 
of this book. For information about 
operating certification authority for 
your own organization, see Microsoft 
Windows 2000 Server Administrator’s 
Companion, by Charlie Russel and 
Sharon Crawford (Microsoft Press, 
2000). You can also find plenty of 
helpful information at 

http://www. microsoft.com/technet/pr 
odtechnol/windows2000serv/deploy/2 
O0Ocert.asp and 

http://www. microsoft.com/technet/se 
curity/prodtech/pkitech.asp. 


Managing Your Certificates 


For the most part, you can leave your certificates 
alone. Internet Explorer and Windows 
automatically take care of business and trouble 
you only when necessary. However, you might 
have occasion to examine and work with your 
certificates, particularly if you use personal 
certificates for e-mail, file encryption, and the 
like. 


You need to manage a number of components 
when you start using certificates, and keeping 
track of everything can be difficult. You might 
have personal certificates with private and public 
keys, client certificates, and—if you run any 
server—server certificates. These are just for 
your own computer. You might also have public 
certificates for people to whom you send 
encrypted e-mail and for companies from whom 
you download software. If that’s not enough, you 
have certificates from trusted third parties who 
authenticate your certificates and the certificates 
of those you do business with. 


Users—even users with administrative 


privileges—can manage only their own 
personal certificates. 


You shouldn’t be surprised that Windows offers 
more than one way to manage certificates. In 
fact, Windows gives you two distinct tools for 
certificate management: 


e The Certificates dialog box 


e The Certificates snap-in for 
Microsoft Management Console 


Both tools allow you to perform essentially the 
same tasks. The Certificates dialog box is less 
complicated and easier to use. The Certificates 
snap-in has a few more options. We suggest you 
try the Certificates dialog box first. If you can’t 
accomplish your goal with that, try the MMC 
snap-in. We discuss both in this chapter. 


Where Do They All Come From? 


When you first venture into the 
certificate-management tools, you 
might be surprised (and 
overwhelmed!) at the number of 
certificates that are already installed 
on your computer. How did they get 
there? The certificates in your 
computer’s certificate stores generally 
arrive in one of these ways: 


e Many certificates are 
included on the Windows 
CD and are installed by 
the Setup program. 


e Your Web browser 
installs certificates when 
you visit a secure Web 
site using SSL and trust 
is established. 
(Therefore, as you use 
the Internet and connect 
to servers that use 
certificates for 
authentication and other 
purposes, your 
certificate collection 
continues to grow.) 


e You choose to accept a 
certificate when you 
install ActiveX controls 
or other software. 


e Someone sends you a 
digitally signed or 
encrypted e-mail 
message or document. 


e You request a certificate 
from a CA, including 
personal certificates for 
signing and encryption, 
certificates needed for 
access to certain 
resources (such as a 
virtual private network), 
and so on. 


Using the Certificates Dialog Box 


You open the Certificates dialog box from the 
Internet Options dialog box. Begin by opening 
Internet Options from its Control Panel icon or by 
choosing Tools, Internet Options in Internet 
Explorer. In Internet Options, click the Content 
tab and then click Certificates. 


Avoid annoying modal dialog 
boxes 


If you open Internet Options (and 
then Certificates) from Internet 
Explorer, you can’t use that Internet 
Explorer window until you close those 
two dialog boxes. If you find so-called 
modal dialog boxes annoying, be sure 


to open Internet Options from Control 
Panel or from an Internet Explorer 
window that you’re not actively using. 


In Windows 2000, you can use an 
alternative method to open the 
Certificates dialog box: In Control 
Panel, open Users And Passwords. On 
the Advanced tab, click Certificates. 


However you open it, the Certificates dialog box 
you see looks similar to the one shown in Figure 
4-6. 
“-Figure 4-6. You can manage all your 
certificate components from one dialog box. 


The Certificates dialog box organizes your 
certificates on tabs that correspond roughly to 
the logical stores: 


e Personal. This tab contains 
certificates with an associated 
private key (typically, your own 
personal certificates). 


e Other People. This tab contains 
certificates for users with whom 
you've shared access to one or 
more encrypted files. 


e Intermediate Certification 
Authorities. This tab contains 
certificates from CAs other than 
those with trusted root certificates. 


e Trusted Root Certificates. This 
tab contains self-signing 
certificates. You intrinsically trust 
content from people and publishers 
with certificates issued by these 
CAs. 


e Trusted Publishers. This tab, 
which appears only in Windows XP, 
contains certificates for which 
you've selected the Always Trust 
Content From check box when 
given the choice in a Security 
Warning dialog box. 


You can filter the certificates listed on each tab 
according to their purposes. In the Intended 
Purpose box at the top of the Certificates dialog 
box, you can choose to see all certificates with 
any purpose (All), those with a particular purpose 
(the purposes listed are those that are not 
selected in the Advanced Options dialog box), or 
only those certificates with advanced purposes. 
To set up or change the Advanced Purposes list, 
click the Advanced button. The Advanced Options 


dialog box presents a list of certificate purposes, 
as shown in Figure 4-7. From this list, select the 
purposes that you want to include in the 
Advanced Purposes list. 


“-Figure 4-7. Select the certificate purposes 
you want to include in the Advanced 
Purposes list. 


Using the Certificates Snap-In 


When you first open a console with the 
Certificates snap-in, each logical store is 
represented by a folder in the console tree. 
Certificates appear in the details pane, as shown 
in Figure 4-8. 


“-Figure 4-8. The Certificates snap-in allows 
you to manage all your certificates from an 
MMC console. 


The easiest way to open the Certificates snap-in 
in Windows XP is to use Certmgr.msc, a 
predefined console that shows certificates for the 
current user. To start this console, open the Run 
dialog box (or any command prompt) and type 
certmgr.msc. 


Creating a Console 


Users of Windows 2000 must first create a 
console that incorporates the Certificates snap-in. 
(Like Windows XP, Windows 2000 includes a 
predefined console named Certmgr.msce. It’s 
configured, however, to look for a nonexistent 
file, so it displays only an error message and an 
empty certificate store.) To create a console, 
follow these steps: 


1. At a command prompt, type mmc 
to open Microsoft Management 
Console. 


2. Open the Console menu, and 
choose Add/Remove Snap-In (or 
simply press Ctrl+M). 


3. In the Add/Remove Snap-In dialog 
box, click Add. 


. In the Add Standalone Snap-In 
dialog box, select Certificates and 
click Add. 


5%In the Certificates Snap-In 
dialog box, select the account for 
which you want to manage 
certificates: My User Account, 
Service Account, or Computer 
Account. For most purposes, you'll 
want to select My User Account. 


The Certificates Snap-In 
dialog box appears only 
if you’re logged on as an 
administrator. 

Nonadministrative users 


can manage certificates 
only for their own user 
account, so that choice 
is made automatically 
for them. 


. In the Certificates Snap-In dialog 
box, click Finish. 


. If you're logged on as an 
administrator and you want to 
include the service or computer 
accounts (or both) in your console, 
repeat steps 4 through 6 to add the 
other accounts you want. 


. In the Add Standalone Snap-In 
dialog box, click Close. In the 
Add/Remove Snap-In dialog box, 
click OK. 


. Customize your console as you like, 
and then choose Console, Save to 
save it as an .msc file that you can 


easily launch from a command 
prompt or shortcut. 


Viewing certificates for different 
accounts and computers 


Note that the Certificates snap-in 
handles one of three accounts: current 
user, services, and computer. (You can 
direct the services and computer 
options at your own local computer or 
at another computer on your network 
for which your user account has 
administrative permissions.) 
Certificates can be associated with one 
or more of these accounts. To include 
all accounts in a console, you must 
add the snap-in three times, selecting 
a different account each time. 


The predefined Certificates console 
(Certmgr.msc) included with Windows 
XP displays certificates only for the 
current user account. If you want to 
view certificates for the services or 
computer accounts—on your own 
computer or on another network 
computer—you can follow the 
procedure we outlined to create a 
console for Windows 2000 users. 


Changing View Options 


By default, the Certificates snap-in displays 
certificates organized by logical stores. But you 
can set up views that organize them differently. 
Select a top-level Certificates snap-in and then 
choose View, Options. The View Options dialog 
box appears, as shown in Figure 4-9. 


“-Figure 4-9. The Certificates snap-in 
organizes its display of certificates by 
certificate purpose or logical store. 


The View Options dialog box offers two view 
modes: Certificate Purpose and Logical Certificate 
Stores (the default). Selecting Certificate Purpose 
displays the certificates in folders organized 
according to purpose, as shown in Figure 4-2. If 
you select Logical Certificate Stores, you can also 
select Physical Certificate Stores. If both logical 
and physical stores are displayed, the console 
tree is organized as shown in Figure 4-10. By 
default, the snap-in does not display archived 
certificates, but you can select Archived 
Certificates in the View Options dialog box to 
display them. 


Archived certificates are certificates 
that have expired. It’s usually best to 
keep such certificates instead of 
deleting them upon expiration. You'll 
need them, for example, in order to 
confirm the digital signature on old 


messages or documents that were 
signed using the key on the archived 
certificate. More important, you'll want 
the archived certificate if it’s needed 
to decrypt a document that was 
encrypted with the now-expired key. 


“-Figure 4-10. You can display physical 
locations within each logical store. 


Viewing and Modifying Certificate 
Properties 


You might want to view the contents of a 
certificate to note its expiration date, purpose, or 
certifying authority. Whether you use the 
Certificates dialog box or the Certificates snap-in, 
you can view certificate properties simply by 
double-clicking the certificate of interest. When 
you open a certificate, you see a Certificate 
dialog box. The General tab provides a clearly 
formatted summary of the certificate’s purposes, 
subject, issuer, and valid dates. (Figure 4-1, 
shows an example.) The Details tab, shown in 
Figure 4-11, lists all the parameters in a 
certificate and their values. The Certification Path 
tab shows the chain of authentication back to a 
root certification authority. (See Figure 4-3, for 
an example.) 


“-Figure 4-11. The Details tab provides a 
comprehensive summary of a certificate’s 
contents. 


Determining a Certificate’s Validity 


The icon near the top of the General tab offers 
some important information about a certificate’s 
validity. If it has a red X in the corner, as shown 
in Figure 4-12, the certificate has a problem, 
which is explained in the text below the icon. A 
red X appears in these cases: 


e The certificate was not issued by a 
trusted CA. This occurs with your 
own self-signed certificates, among 
others. If you know the issuer is 
valid, you can move the certificate 


to your Trusted Root Certification 
Authorities store. 


The certificate was issued without 
verification, which is often the case 
with free certificates obtained on a 
trial basis from third-party CAs. 


The certificate has expired or been 
revoked. 


“-Figure 4-12. Seeing a red X 
on the General tab should raise 
your alert level. 


Examine the Issued By and Issued To fields for 
additional clues about a certificate’s validity. Do 
you know and trust the CA and the person or 
organization to whom the certificate was issued? 


Finding a particular certificate 


You won't always know which store 
holds a certificate you’re looking for. 
Because of the number of stores and 
the large number of certificates in 
some stores, browsing to find a 
particular certificate can be tedious, at 
best. 


The Certificates snap-in (but not the 
Certificates dialog box) offers a search 
feature that makes it easy to find that 
proverbial needle in a haystack. In 
addition, the Find Certificates dialog 
box, shown here, offers a quick way to 
perform common tasks with the 
certificates you find. Select a 
certificate and then open the File 
menu, where you'll discover 


commands to renew, export, delete, 
or display a certificate. 


“TO use the Find Certificates 
feature, in the console tree select the 
Certificates folder or one of its first- 
level subfolders. Then open the Action 
menu and choose Find Certificates. 


Changing a Certificate’s Properties 


You can modify certain properties of a certificate 
—although you'll seldom have reason to do so. If 
you find a certificate’s Issued To name (the field 
by which certificates are normally listed and 
identified) to be inscrutable, you can assign (or 
change) the certificate’s friendly name or 
description. (The Friendly Name column appears 
by default in the details pane of the Certificate 
snap-in, although it’s so far to the right that it’s 
usually hidden. If you end up relying on the 
Friendly Name column for any reason, you might 
want to move it to a more prominent position. 
Drag the column title to the new position, and 
drag its right border to adjust the width. You can 
also change the column order by opening the 
View menu and choosing Add/Remove Columns.) 


The other change you can make to certificate 
properties is to enable or disable certain 
certificate purposes—although you can enable 
only purposes that are allowed by the certificate 
issuer. 


To view or modify the friendly name, description, 
or enabled purposes, open a certificate, click its 
Details tab, and click Edit Properties. 
(Alternatively, if you’re using the Certificates 
snap-in, you can right-click a certificate and 
choose Properties.) A dialog box such as the one 


shown in Figure 4-13 appears, in which you can 
read or modify the properties. 


“-Figure 4-13. The Certificate Properties 
dialog box lets you create your own “friendly 
name” for a certificate. 


Examining Certificates in Office XP 


Microsoft Office XP lets you attach a 
digital certificate to a document, 
spreadsheet, or presentation. As with 
e-mail messages, a certificate 
provides a digital signature that 
authenticates the document signer 
and ensures that the document has 
not been modified. To add a digital 
signature to a document, open the 
Office application’s Tools menu and 
choose Options. On the Security tab, 
click Digital Signatures and then click 
Add. 


You can view the certificate attached 
to a document in the same Digital 
Signature dialog box. Select a 
certificate and choose View Certificate; 
you'll see the same Certificate dialog 
box that you’d find if you located the 
certificate in the Certificates dialog 
box or the Certificates snap-in. 


Office XP and Office 2000 also allow 
digital signing of macro projects. It’s a 
good thing, too, because Microsoft 
Word macros have been the source of 
numerous security problems. If your 
Office macro security setting (choose 
Tools, Macro, Security) is set to 
Medium or High, Office displays a 
warning when you open documents 


that are unsigned or signed with 
untrusted certificates. 


To view the certificates for a signed 
macro project, choose Tools, Macro, 
Visual Basic Editor. In the Visual Basic 
Editor, select the macro project and 
choose Tools, Digital Signature. In the 
Digital Signature dialog box, click 
Detail. 


For certificates attached to 
documents, a red X on the General tab 
can indicate that the document has 
been modified by someone other than 
the signer. A red X also appears if the 
certificate was not valid at the time it 
was used to sign the document. 


Exporting Certificates for Safekeeping 


You can export certificates from your certificate 
stores to ordinary files. You might want to do this 


e To create a backup copy for 
safekeeping 


e To copy or move a certificate for 
use on another computer 


To export a certificate in the Certificates dialog 
box, simply select the certificate and click Export. 
In the Certificates snap-in, select the certificate 
and choose Action, All Tasks, Export. Either action 
starts the Certificate Export Wizard. Like most 
wizards, the Certificate Export Wizard is pretty 
intuitive—except for the Export File Format page, 
shown in Figure 4-14. For more information about 
your choices here, see the sidebar “File Formats 
for Exported Certificates.” 


“-Figure 4-14. The Certificate Export Wizard 
supports four standard file formats for 
certificates. 


When you export a personal certificate that 
contains a private key, you have the option of 
exporting the private key with the certificate. If 
you choose to export the private key, you must 
supply a password to protect it. You'll want to 
export the private key if you are exporting the 
certificate in order to import it to another 
computer of yours where you want to use the 
same keys. 


Use drag and drop to export 


In the Certificates dialog box (but not 
the snap-in), you can drag a 


certificate to your desktop or to a 
folder in Windows Explorer. No wizard 
appears, and you don’t have to 
answer any questions; an exported 
certificate file simply appears 
wherever you drop the certificate. 


By default, the drag-and-drop export 
feature creates a DER encoded binary 
X.509 file. You can select another 
certificate file type by clicking the 
Advanced button in the Certificates 
dialog box. The Advanced Options 
dialog box (see Figure 4-7) offers a 
list of export formats. Note, however, 
that the Personal Information 
Exchange (PKCS #12) file type is not 
available. Including this option doesn’t 
make sense because it’s the only 
format that can include private keys 
(and because it’s not available for 
most certificates). 


You can export multiple certificates into a single 
file in any of three ways: 


e In the Certificates dialog box or the 
Certificates snap-in, select multiple 
certificates before you begin the 
export. (You do that the same way 
you make multiple selections in 
Windows Explorer and other 
applications: drag a lasso around 
the entire group or hold down the 
Ctrl key as you click each item you 
want to select.) The Certificate 
Export Wizard combines the 
selected certificates into a single 
PKCS #7 file. 


e To export a certificate and all the 
certificates in its certification path, 
select PKCS #7 in the Certificate 
Export Wizard. Also select Include 
All Certificates In The Certification 
Path If Possible. 


e In the Certificates snap-in, you can 
export an entire store as a single 
file. To do so, you must first display 
physical certificate stores within 
logical certificate stores. (For 
details, see Changing View 
Options.) Select a physical store 
(such as Registry, Local Computer, 
or Group Policy) that contains the 
certificates you want to export, and 
then choose Action, All Tasks, 
Export Store. The Certificate Export 
Wizard combines the files in the 
selected store into a single 
Microsoft Serialized Certificate 
Store file. 


When you subsequently import a file that 
contains multiple certificates, the Certificate 
Import Wizard imports all the certificates 
contained in the file. 


File Formats for Exported 
Certificates 


You can export and import certificates 
in any of several formats with rather 
cryptic names: 


e DER encoded binary 
X.509. Distinguished 
Encoding Rules (DER) 
X.509 defines a 


platform-independent 
method (that is, a 
method that can be used 
on computers running 
any operating system) 
for encoding certificates 
and other files for 
transmission between 
computers. Certificates 
you receive from CAs 
that do not use Windows 
2000 might use this 
format, but there’s no 
reason for you to use 
X.509 for exporting 
certificates that will be 
used only on Windows- 
based computers. This 
file type uses a .cer or 
.crt file name extension. 


Base-64 encoded 
X.509. This X.509 
variant uses an encoding 
method designed for use 
with S/MIME, a standard 
method for securely 
sending attachments 
over Internet e-mail. 
The entire file is 
encoded as ASCII 
characters, which 
ensures that it will 
Survive a trip through 
various mail gateways 
unscathed. Unless you 
have problems sending a 
certificate file as an e- 
mail attachment, you 


don’t need to use this 
format for exporting 
certificates that will be 
used only on Windows- 
based computers. This 
file type uses a .cer or 
.crt extension. 


Cryptographic 
Message Syntax 
Standard - PKCS #7 
Certificates. Unlike the 
X.509 formats, PKCS 
(Public Key 
Cryptography Standard) 
#7 certificates allow you 
to combine a certificate 
and all the certificates in 
its certification path in a 
single file, making it 
easy to move a trusted 
certificate from one 
computer to another. 
This file type uses a .p7b 
or .spc extension. 


Personal Information 
Exchange - PKCS #12. 
Sometimes called 
Personal Interchange 
Exchange format (which, 
strangely enough, is 
abbreviated PFX), this 
format allows you to 
transfer your certificates 
along with their 
corresponding private 
keys. It’s the only 
supported format that 


can include private keys. 
To permit the inclusion 
of the private key, the 
key must be marked as 
exportable; this is 
controlled by the CA that 
issues the original 
certificate. This file type 
uses a .pfx or .p12 
extension. 


Microsoft Serialized 
Certificate Store. This 
format is used only 
when you choose to 
export or import an 
entire certificate store. 
This file type uses an 
.sst extension. 


Which format should you use? For 
encryption certificates or other 
certificates with a private key to be 
included in the exported file, use PKCS 
#12. (Include the private key only for 
your own backups or for installation 
on your own computers. Don’t send a 
certificate with your private key to 
anyone else!) For all other certificates 
that you want to import to a computer 
running Windows, use PKCS #7. 
Computers running other operating 
systems might not support PKCS #7; 
to create a certificate for use on such 
a computer, use either of the X.509 
formats. X.509 is the most widely 
accepted format for certificates. 


Importing Certificates 


Once you have a certificate in a standard 
certificate file—one that you exported or one that 
was sent to you by someone else—you can 
import it into your certificate store. You'll want to 
import a certificate to accomplish the following 
tasks: 


e To install a new certificate that you 
receive from another person or 
from a CA 


e To restore a damaged or lost 
certificate from your backup copy 


e To install your personal certificate 
on another computer 


To import a certificate in the Certificates dialog 
box, click Import. If you’re using the snap-in, 
select any folder in the console tree. Then open 
the Action menu and choose All Tasks, Import. 
The Import Certificate Wizard leads you through 
the simple process. 


Import certificates directly from 
files 


You can import certificates without 
opening the Certificates dialog box or 
snap-in. Simply right-click the 


certificate file in Windows Explorer (or 
on your desktop) and choose Install 
Certificate. This command launches 
the Certificate Import Wizard, 
bypassing the step in which you must 
browse to find the certificate file. 


Copying or Moving a Certificate 


Using the Certificates snap-in (but not the 
Certificates dialog box), you can copy or move 
certificates from one store to another. You might 
do this to move a certificate that you know to be 
good—but that was not issued by a trusted CA— 
to the Trusted Root Certification Authorities or 
Trusted People store, for example. 


To copy or move a certificate, you must use the 
snap-in’s logical certificate stores view. (For 
details, see Changing View Options.) Select the 
certificate and then choose Copy or Cut (to move 
it) from the Action menu or from the shortcut 
menu that appears when you right-click a 
certificate. Select the destination store and then 
choose Action, Paste. 


You can also use the drag-and-drop feature just 
as you would in Windows Explorer: Drag a 
certificate (or multiple certificates) to another 
store to move it; hold down the Ctrl key as you 
drag to copy the certificate. (And if you can never 
remember which action copies and which one 
moves, drag using the right mouse button. When 
you drop the certificate, a shortcut menu opens 
to ask whether you want to move or copy.) 


You can’t use these techniques to copy 
or move a certificate to a file folder; to 


do that, you must export the 
certificate. For details, see Exporting 
Certificates for Safekeeping. 


Deleting a Certificate 


If you’re moving to a new computer and passing 
your old computer on to someone else (without 
formatting its drives), you should delete your 
personal certificates. Or you might want to delete 
a certificate if, for example, you no longer trust 
the person or organization to whom the 
certificate was issued. This is a rare situation, 
however, and you should consider moving the 
certificate to another store (for example, 
Untrusted Certificates) instead of deleting it. 


Regardless of your reason for deleting a 
certificate, you should first export the certificate 
so that you have a backup copy available if you 
need it later. 


Maintaining an exported backup copy 
is especially important if the certificate 
was used for encrypting messages or 


other files. Without the certificate, you 
won't be able to decrypt the encrypted 
information. 


To delete a certificate in the Certificates dialog 
box, select the certificate and click Remove. With 
the Certificates snap-in, select the certificate and 
choose Action, Delete (or simply press the Delete 
key). You'll be given a final chance to reconsider 
when a confirmation dialog box appears. 


Don’t worry about deleting 
Trusted Publishers 


You can safely delete certificates from 
the Trusted Publishers store. (These 
publishers are ones for which you 
selected the Always Trust Content 
From check box in the Security 


Warning dialog box that appears when 
you download active software.) If 
you've already installed software from 
the publisher whose certificate you're 
deleting, it will continue to run; the 
only effect of deleting a Trusted 
Publisher certificate is that the next 
time you attempt to install software 
from the publisher, you'll again be 
presented with the Security Warning 
dialog box. 


Renewing a Certificate 


When certificates issued by an enterprise 
certificates server expire, they can be renewed. 
The Certificates snap-in gives you two options for 
renewing expired or about-to-expire certificates: 
You can renew them with the same keys or with 
new keys. If you are concerned that the keys 
might be compromised, you might want to renew 
the certificate with new keys. You renew a 
certificate by right-clicking its icon and choosing 
All Tasks, Renew Certificate With Same Key or All 
Tasks, Renew Certificate With New Keys. 


Chapter 5 


Securing a Shared Computer 


Almost by definition, allowing more than one 
person to use a single computer creates potential 
security problems. If each party with access to 
the computer is completely trustworthy and has 
permissions commensurate with his or her level 
of experience, these security risks are relatively 
small. Most of the time, however, the users of a 
shared computer need to be protected from each 
other (and sometimes from themselves). As the 
responsible adult in charge of a computer used 
by the whole family, for instance, you certainly 
want to keep children from accessing your work 
files or installing untrusted software. In a small 
office, you need to safeguard confidential 
information so that only authorized users can 
view it. 

Setting up a shared computer requires that 
someone take on the role of administrator and 
make the tough decisions about rights and 
permissions for each user. When you don your 
administrator’s hat, your primary responsibility is 
to protect the privacy of each user’s data and to 
secure the operating system so that an 
inexperienced user doesn’t accidentally damage 
configuration details. 


In this chapter, we focus on three distinctly 
different tasks: 


e Creating secure storage for each 
user’s private files. Using the NTFS 
file system available in Microsoft 
Windows XP or Windows 2000, you 
can make certain that each user is 
able to save files to a location that 
is protected from access by any 


other user of the computer, 
including administrators. 


Creating secure locations where 
users of the same computer can 
safely share files with one another. 
This capability allows users to 
collaborate easily on projects; it’s 
also useful for securely and 
efficiently managing collections of 
data files that take up 
disproportionate amounts of disk 
space, such as music, pictures, 
video, and other digital media files. 


e Preventing users from changing the 
computer’s configuration without 
authorization. This safeguard is 
equally important in small 
businesses and on home 
computers, where some users 
might not have the technical skills 
to install applications and adjust 
system settings or the experience 
to leave crucial system files alone. 


This chapter does not cover the ins and outs of 
sharing files with other users over a network 
(including the Internet). For the fine points of 
safely sharing information across a network, read 
Restricting Network Access to Files and Folders. 


Any discussion of file security in Windows begins, 
by necessity, with the user-based access controls 
that are a key part of the NTFS file system. 
Although the underpinnings of NTFS security are 
the same in Windows 2000 and Windows XP, the 
implementations of these controls differ greatly, 
thanks to a Windows XP feature called Simple File 
Sharing, which controls the default permissions 


for common data locations and provides a user 
interface that is dramatically different from its 
counterpart in Windows 2000. Before you even 
think about implementing user-based access 
controls, it’s crucial that you understand how 
these interfaces work. 


Security Checklist 


Follow the steps on this checklist to 
ensure that your file system and 
Windows registry are safe from 
unauthorized tampering. 


e Convert all local drives 
to NTFS. 


e On computers running 
Windows XP 
Professional, consider 
disabling Simple File 
Sharing to increase the 
range of security options 
you can exercise over 
files and folders. 


e Use encryption to 
protect sensitive files. 


e On computers running 
Windows XP 
(Professional or Home 
Edition), use the option 
to make files in your 
personal profile private. 


e Educate users of a 
shared computer about 
safe techniques for 
working with the 
registry. 


Using NTFS Permissions for Access 
Control 


On volumes formatted with NTFS, every entry in the 
master file table—every file, folder, and subfolder— 
includes an access control list (ACL) that defines which 
users and/or groups have permission to access that 
object. Each individual item in the ACL is called an 
access control entry (ACE) and consists of the security 
identifier (SID) for the account it controls (a user, 
group, or computer, or a special account managed by 
the operating system) along with permissions that 
describe the type of access that account is permitted. 
Most of the time, of course, Windows hides the SID 
and shows you a friendlier name for the account in 
question—the name of a user or group, for instance. 


As we emphasize throughout this book, the 
NTFS file system is an integral part of the 
security infrastructure in Windows XP and 
Windows 2000. If you’re still using the 
FAT32 file system for drives that contain 
sensitive data, we highly recommend that 
you convert those drives to NTFS. If you're 
not certain you should do so, we suggest 
that you reread Securing Your Computer: A 
Checklist. 


The owner of a file or folder (typically the person who 
creates the item) has the right to allow or deny access 
to that resource. In addition, members of the 
Administrators group and other authorized users can 
grant or deny permissions by modifying ACEs (unless 
the owner of that resource has denied access to the 
Administrators group). In Windows XP, using the 
Simple File Sharing interface, your options for 
modifying permissions are severely limited. If you use 
Windows 2000 Professional, however, or if you disable 
Simple File Sharing in Windows XP Professional, you 
gain access to the full complement of NTFS 
permissions. (Users of Windows XP Home Edition must 


start their computer in Safe Mode to bypass Simple 
File Sharing.) With NTFS permissions, you can add 
individual users to the list of users associated with a 
file or folder and allow or deny specific types of file and 
folder actions. You can also assign permissions to 
built-in groups (the Administrators group, for instance) 
or create your own groups and assign permissions to 
them. As we'll explain later in this section, some 
permissions don’t need to be explicitly defined but 
instead are inherited from permissions set in a parent 
folder. 


When you first install Windows XP or Windows 2000 
and choose NTFS as the file system, the Setup 
program automatically applies default permissions to 
common locations. To view the permissions assigned 
to any file or folder under Windows 2000 Professional 
or Windows XP Professional with Simple File Sharing 
disabled, open Windows Explorer, right-click the icon 
for the object in question, choose Properties, and then 
click the Security tab. The resulting dialog box shows 
the list of users and/or groups with ACEs for that 
object; selecting an entry in the list reveals the 
permissions assigned to that user or group. 


Figure 5-1, for instance, shows the default permissions 
that Windows 2000 assigned to the user profile folder 
for the account with the user name Ed on the 
computer BOTT-2KPRO-VM. Because this folder was 
created the first time he logged on, Ed is the Creator 
Owner of the folder and has Full Control permissions 
for all files and subfolders within it. The System 
account and all members of the Administrators group 
also have Full Control permissions in this location, 
allowing any administrator to create, modify, and 
delete files and subfolders here. Any user other than 
Ed who is not a member of the Administrators group 
and tries to access files in this location will see an 
error message. 


“-Figure 5-1. The default permissions give each 
user full control over all files and folders in his or 


her profile; any user who is not a member of the 
Administrators group is locked out. 


For commonly used storage locations where security is 
critical, Windows controls security by assigning 
different permissions to different groups of users. One 
such location is the %SystemRoot% folder, which 
contains system files, device drivers, security settings, 
service packs, and other essential files. Figure 5-2 
shows the full permissions for this folder (in this case, 
C:\Winnt), with additional details about permissions 
that apply to subfolders; to see this dialog box, click 
the Advanced button on the Security tab. 


“-Figure 5-2. Use this dialog box to view the full 
list of access control settings for a file or folder. 
Because members of the Users group have limited 
permissions, they can’t damage the system 
configuration. 


In this example, the System account and the 
Administrators group have Full Control permissions 
over files in this folder and all its subfolders. Members 
of the Power Users group are assigned the Modify 
permission, which allows them to create new files and 
replace existing ones (when installing new software, 
for example) but does not allow them to delete 
subfolders or change permissions on existing files. 
Members of the Users group (also known as /imited 
accounts in Windows XP) are given only Read & 
Execute permission for this folder and its subfolders, 
which effectively prevents them from installing any 
program or device driver that creates or replaces 
system files as part of its setup routine. Permissions 
for the Everyone group are the most limited. This 
group (which includes anyone logging on through the 
Guest account) has Read & Execute permissions for 
the %SystemRoot™% folder only and is locked out of all 
subfolders. Collectively, these security precautions 
prevent naive or untrained users from inadvertently 
installing viruses and Trojan horse programs. 


Bring back default permissions 


If you tinker with permissions in locations 
where system files are stored, you could 
end up with a system whose overall 
security can’t be trusted or verified. What 
do you do in that case? If you remember all 
the locations where you made changes, you 
can use the Security tab on the Properties 
dialog box for each folder (or use the Cacls 
utility from a command prompt, as 
described in “Setting NTFS Permissions 
Using Command- Line Utilities”) to restore 
the default permissions. If you're not 
certain which folders have nonstandard 
permissions, try using the Security 
Configuration And Analysis tool to restore 
the default NTFS permissions using a 
Security Configuration template. (This 
solution also restores default registry 
permissions and user rights.) Caution: This 
is a drastic measure that undoes any 
custom permission settings that might have 
been applied by applications, Windows 
updates, or patches. Use this technique 
only as a last-ditch alternative to 
completely reinstalling Windows. 


1. After logging on as an 
administrator, go to any 
command prompt and type 
mmc to start the Microsoft 
Management Console. 


2. Press Ctrl+M to open the 
Add/Remove Snap-In dialog 
box. 


3. Click the Add button and 
choose Security Configuration 
And Analysis from the list of 
available snap-ins. Click Add 
and then click Close. Click OK 
to close the Add/Remove 


Snap-In dialog box and return 
to the MMC window. 


4. In the Console Root pane, 
right-click Security 
Configuration And Analysis 
and choose Open Database. 


5. Enter a name for the file that 
will hold your security 
settings. Any descriptive 
name, such as Default 
Settings, is sufficient. Click 
Open to save the name you 
entered. 


6. If you’re using Windows 
2000, the Import Template 
dialog box opens. If you're 
using Windows XP, right-click 
Security Configuration And 
Analysis again and choose 
Import Template. If 
necessary, change the 
displayed folder to 
%SystemRoot%\Security\Tem 
plates. 


7. From the list of available 
templates, choose Setup 
Security.inf and click Open. 


8. In the console tree, right-click 
Security Configuration And 
Analysis and choose 
Configure Computer Now. 


For more details about this procedure, see 
Using Security Templates. 


Basic and Advanced Permissions 


Windows 2000 and Windows XP Professional let you 
control access to system resources by using a set of 
predefined basic permissions. Table 5-1 lists these 
basic permissions and describes the effects they have 
when assigned to a specific user or group. 


Table 5-1. Basic NTFS Permissions 


Permission Effect on Users and Groups 


Full Control Gives the selected user or group full 
control over the file or folder. With 
Full Control permission, a user can 
do anything to an object—list the 
contents of a folder, read and open 
files, create new files, delete files 
and subfolders, change permissions 
on files and subfolders, and take 
ownership of files, for instance. 
Note that selecting the Full Control 
check box on the Security tab also 
selects all permissions . 


Modify Allows the selected user or group to 
read, change, create, and delete 
files but not to change permissions 
or take ownership of files. Selecting 
this check box also selects the 
permissions listed below it on the 
Security tab and is equivalent to 
assigning Write and Read & Execute 
permissions. 


Permission Effect on Users and Groups 


Read & Allows the selected user or group to 

Execute view files and execute programs. 
Selecting this check box on the 
Security tab also selects the List 
Folder Contents and Read 
permissions as well. 


List Folder Available on the Security tab only 


Contents for a folder, this option provides the 
(folders same individual permissions as 
only) Read & Execute. The only difference 


is that this permission is inherited 
by subfolders but not by files within 
the folder or subfolders. 


Read Allows the selected user or group to 
list the contents of a folder, view file 
attributes, read permissions, and 
synchronize files. This is the most 
basic permission. 


Write Allows the selected user or group to 
create files, write data, read 
attributes and permissions, and 
synchronize files. 


The final entry in the Permissions list, Special 
Permissions, is unlike all previous options in that you 
cannot select it directly to apply a set of predefined 
permissions. Instead, this option is shown as selected 
whenever the assigned permissions don’t match any of 
the built-in templates. To see details, click the 
Advanced button, select a user or group name, and 
then click the Edit button (Windows XP) or the 
View/Edit button (Windows 2000). Don’t be misled by 
this long list of so-called special permissions. 
Whenever you adjust NTFS permissions, your actions 
ultimately result in changes to this list. Using the built- 


in permission options—Full Control, Modify, and so on 
—simplifies the process for you by setting 
predetermined groups of permissions from this full list. 
When you select the Allow check box next to the Read 
& Execute entry on the Security tab, for instance, 
Windows actually sets five individual permissions in 
response to the single click, as shown in Figure 5-3. 


“-Figure 5-3. Assigning the Read & Execute 
permission to a user or group actually assigns 
these five individual permissions to the ACE for 
the selected object. 


For all but the most unusual access control settings, 
the predefined basic permissions are perfectly 
adequate. In the unlikely event that you need to 
assign these permissions individually, your best 
strategy is to choose the basic permission that comes 
closest to the set of permissions you want to use. You 
can then add or remove special permissions as 
needed. Table 5-2 lists the full set of special 
permissions that are applied when you set each of the 
predefined basic permission options. 


Table 5-2. Special Permissions Applied by Basic 
Permissions 


Basic Permissions Special Permissions 


Read List Folder/Read Data 
Read Attributes 
Read Extended Attributes 
Read Permissions 


Read & Execute or List All Read permissions 
Folder Contents listed above 
Traverse Folder/Execute 
File 


Basic Permissions 


Write 


Modify 


Full Control 


Special Permissions 


Create Files/Write Data 
Create Folders/Append 
Data 

Write Attributes 

Write Extended Attributes 


All Read & Execute 
permissions listed above 
All Write permissions 
listed above 

Delete 


All permissions listed 
above 

Delete Subfolders And 
Files 

Change Permissions 
Take Ownership 


Viewing and Changing NTFS Permissions 


If you're willing to plunge into the sometimes 
confusing realm of NTFS permissions, you can 
significantly tighten control over who is allowed to 
access files and folders on a local computer. With 
Windows 2000 Professional, in fact, working directly 
with NTFS permissions is your only option for setting 
security on files and folders. With Windows XP, by 
contrast, direct access to NTFS permissions is blocked 
by default in favor of the easy-to-use but severely 
limited Simple File Sharing scheme; depending on the 
version of Windows XP you use, however, you might be 
able to disable Simple File Sharing and expose the 
Windows 2000-style NTFS permissions interface. (See 
Turning Off the Simple File Sharing Interface in 
Windows XP for step-by-step instructions.) 


Using the full range of NTFS permissions allows you to 
fine-tune access in the following ways: 


e Control access to files and folders on 
any NTFS-formatted drive. This 
capability is especially useful if you use 
multiple volumes to store data. For 
instance, you might store all your digital 
pictures and home movies on a separate 
physical disk whose drive letter 
distinguishes it from the disk where your 
My Documents folder is located. Using 
NTFS permissions, you can restrict 
access to the separate disk so that you 
and your spouse can view and edit the 
files, but your kids are locked out of 
some subfolders and limited to read-only 
access in other locations. This option 
isn’t available if you use Simple File 
Sharing, in which every user has 
unrestricted access to files and folders 
outside private user profiles. 


e Allow different types of access to 
different users or groups of users. In 
a small office, you might set up an 
account for temporary workers that 
allows them to see only those files and 
folders they require to perform their 
tasks. You could assign a different set of 
permissions to your office manager, 
allowing access to accounting and payroll 
information while still restricting his or 
her access to sensitive legal documents. 


e Set custom permissions on any file 
or folder. Using the full set of NTFS 
access controls, you can apply different 
permissions to files stored in the same 
folder. Permissions then depend on the 
account and group membership of the 
user trying to access those files. You 
might use this capability to grant access 
to a library of Word documents that you 
use as templates; by adjusting NTFS 
permissions for the Templates folder to 
limit all users except you to read-only 
access, you can protect your carefully 
crafted templates from being 
inadvertently wiped out by another 
user’s changes. 


Blindly experimenting with NTFS 
permissions when you don’t understand 
how the various permissions interact can 
lead to unexpected and unwelcome results. 
If you’re not careful, you can leave security 
holes that allow unauthorized users to view 
files, or you can inadvertently block your 
own access to files and folders that you use 
regularly. Working with the built-in 
permission sets—Full Control, Modify, and 
so on—is the safest strategy. If your 
security setup demands that you use 
special permissions, experiment first using 


a test folder filled with files that don’t 
contain sensitive information. When you're 
certain you’ve worked out the correct mix 
of permissions, apply them to the folder 
containing your real working files and 
delete the test folder. 


Turning Off the Simple File Sharing 
Interface in Windows XP 


If you’re running Windows 2000 Professional, the 
properties dialog box for every file and folder on an 
NTFS volume includes a Security tab where you can 
add or change access controls for individual users and 
groups of users. If you use Windows XP Professional in 
a workgroup or stand-alone configuration, this tab is 
normally hidden; to work with the full set of NTFS 
permissions, you must disable Simple File Sharing. If 
you use Windows XP Professional and are a member of 
a Windows domain, the Simple File Sharing option is 
disabled by default and your options for setting file 
and folder permissions are essentially identical to 
those used in Windows 2000. 


To disable the Simple File Sharing interface and use 
the full complement of Windows 2000-style file 
permissions, open any folder in Windows Explorer (the 
My Documents or My Computer folder will do) and 
choose Tools, Folder Options. Click the View tab, scroll 
to the bottom of the list, and then clear the Use 
Simple File Sharing (Recommended) check box. 


You must be logged on as an administrator 
to enable or disable the Simple File Sharing 
option. 


If you use Windows XP Home Edition, your NTFS 
options are severely limited. The only way to view the 
Security tab for point-and-click access to the full set of 
NTFS permissions is to restart your computer in Safe 
Mode and log on as an administrator. The alternative, 
if you’re willing to work from the command line, is to 


use the Cacls or Xcacls utility described in Setting 
NTFS Permissions Using Command-Line Utilities. 


You should disable Simple File Sharing only if you’re 
absolutely confident that you understand the 
consequences your decision will have for how users 
can access files and folders shared over a network, as 
we explain in detail in Chapter 14, “Network Security 
101.” 


How Simple File Sharing Sets NTFS 
Permissions 


When you use security options in the 
Simple File Sharing interface, Windows XP 
acts on your behalf to apply a strictly 
defined set of permissions to selected 
objects while hiding the full details of what 
it’s doing. If you know the basics of NTFS 
permissions, you can understand what’s 
happening behind the scenes: 


Default permissions (user profile). 
When you create a new user account and 
log on for the first time, Windows XP 
creates an empty set of user profile folders 
and assigns Full Control permissions for the 
new user. In addition, Windows assigns Full 
Control permissions to the built-in 
Administrators group and the System 
account. Windows designates the logged-on 
user as the Creator Owner of these folders; 
the owner has full rights to work with the 
files and folders and to change the access 
controls on these files. 


Default permissions (outside user 
profile). When any user creates a new 
folder outside his or her user profile in the 
root of an existing volume (C:\, for 
instance), Windows assigns Full Control 
permissions to the user who created the 
folder, to the built-in Administrators group, 
and to the System account. In addition, 


users with limited accounts have Read & 
Execute permissions for the newly created 
folder. Note that the permissions applied 
might be different in other locations for new 
subfolders created within existing folders, 
especially in system folders where special 
permissions are inherited. For instance, 
when you log on as an administrator and 
create a new subfolder in the Program Files 
folder, the Power Users group inherits 
Modify permissions in that subfolder, 
whereas members of the Users group have 
Read & Execute permissions only. 


Private folders. Selecting the Make This 
Folder Private option removes the 
Administrators group from the list of 
permitted users, leaving only the user’s 
account and the built-in System account on 
the Permissions list. (A member of the 
Administrators group can regain access by 
taking ownership of the folder.) 


Shared folders. As the name implies, the 
Shared Documents folder and its subfolders 
are available for use by anyone with an 
account on the computer. Members of the 
Administrators group have Full Control 
permissions for this folder and all its 
subfolders. Members of the built-in Power 
Users group (available only in Windows XP 
Professional) have Modify permissions, 
giving them all rights except the ability to 
change permissions or take ownership of 
files in this folder. Finally, those with limited 
accounts (members of the built-in Users 
group) have Full Control permissions for 
files they create but Read & Execute 
permissions for all other files and folders. 
Thus, they can create new files in the 
Shared Documents folder and can read and 
open files created by other users, but they 


cannot modify or delete any files except 
those they created. 


It’s important to note that simply enabling 
or disabling the Simple File Sharing 
interface doesn’t in itself adjust any 
permissions. You must move a file or make 
a folder private to actually change 
permissions. Also, Simple File Sharing 
options affect only those ACEs that are 
used for Simple File Sharing: 
Administrators, Everyone, System, and 
Owner. Any other permissions (including 
those set from the command line or those 
carried over as part of an upgrade from 
Windows 2000) are unaffected. 


Setting NTFS Permissions Through 
Windows Explorer 


This section assumes that you’re running Windows 
2000, or that you’ve disabled the Simple File Sharing 
interface in Windows XP Professional, or that you’ve 
started Windows XP Home Edition in Safe Mode. To 
view and edit NTFS permissions for a file or folder in 
any of these configurations, right-click the file or folder 
icon, choose Properties, and then click the Security 
tab. The dialog box that’s displayed lists all the groups 
and users with permissions set for the selected object. 


If the user or group whose permissions you want to 
change is already listed here, you can add permissions 
by selecting check boxes in the Allow column or 
remove permissions by clearing boxes. Select check 
boxes in the Deny column only if you want to explicitly 
forbid certain users from exercising a specific 
permission. Deny access control entries take 
precedence over any other permission settings that 
apply to an account, such as those granted through 
membership in a group. If you want to completely lock 
out a specific user or group from access to a selected 


file or folder, select the Deny check box on the Full 
Control line. 


Avoid the Deny boxes 


Although using the Deny options on the 
Security tab might sound like a great way 
to tighten security on confidential files and 
folders, we suggest that you resist the 
temptation to use this column. Deny 
permissions are typically used on large 
networks where many groups of users are 
defined, with different levels of permissions 
that overlap and sometimes conflict; in 
these circumstances, administrators use 
Deny permissions to exercise tight control 
over sensitive files in specific locations. 
Even for Windows experts, unraveling the 
interactions between Allow and Deny 
permissions can be a daunting task. Ona 
computer shared by a few users in a home 
or a small business, you can almost always 
meet your security needs by selecting and 
clearing check boxes in the Allow column. 


To set permissions for a group or user whose name 
isn’t currently listed in the Group Or User Names box 
(the Names box in Windows 2000), follow these steps: 


1. Open the properties dialog box for the 
file or folder and click the Security tab. 
(If you’re using Windows XP Professional 
and the Security tab is unavailable, you 
need to disable Simple File Sharing, as 
explained in the previous section.) 


2. Click the Add button. 


3. In the Select Users Or Groups dialog 
box, enter the name of the user or 
group. When entering multiple names, 
separate them with semicolons. The 
technique for adding names varies 


slightly, depending on which version of 
Windows you’re using: 


e With Windows 2000 
Professional, you can 
select user or group names 
from a scrollable list at the 
top of the dialog box, as 
shown here, or enter the 
user name (not the full 
name) directly. 


-With Windows XP 
Professional, you can enter 
the user name (which may 
be different from the full 
name displayed on the 
Welcome screen) or group 
name as shown here. To 
choose from a list of all 
available users or groups 
(including special 
accounts), click the 
Advanced button and then 
click Find Now. 


‘These instructions 
assume that you are 
adjusting permissions on a 
computer that is not a 
member of a Windows 
domain. In that case, 
Windows checks user and 
group names against the 
database for the local 
computer. If the computer is 
joined to a domain, the Select 
Users Or Groups dialog box 
automatically looks for names 
using the complete list in the 
domain directory, includes a 
full set of search tools, and 


allows you to enter full names 
instead of user names. If you 
want to assign permissions 
only for users with accounts 
on the local computer, use the 
drop-down Look In list in 
Windows 2000 to select the 


computer name; ona 
Windows XP Professional 
computer, click the Locations 
button and choose the 
computer name instead of the 
domain. 


4. Click the Check Names button. If the 
name you entered exists in the accounts 
database, Windows fills in missing details 
such as the computer name or domain 
name. If the name doesn’t match an 
existing entry, you see an error 
message; in that case, correct the name 
and try again. 


5. Click OK to return to the Security tab 
and set permissions for the newly added 
user(s). 


For additional discussion of NTFS permissions in 
Windows XP, including instructions on how to work 
with special accounts, see Chapter 13, “Securing Files 
and Folders,” in our earlier book, Microsoft Windows XP 
Inside Out (Microsoft Press, 2001). 


Troubleshooting 


You can’t change file or folder 
permissions. 


If you’re unable to set permissions on a file 
or folder, look for the “symptom” in this list 
and try the following problem-solving 
techniques: 


The Security tab is not visible. If you're 
using Windows XP Home Edition, the 
Security tab is available only when you 
start your computer in Safe Mode. If you’re 
using Windows XP Professional, choose 
Tools, Folder Options and clear the Use 
Simple File Sharing (Recommended) check 
box on the View tab. If you see a Sharing 
tab only (Windows 2000 Professional or 
Windows XP Professional with Simple File 
Sharing disabled), open the My Computer 
window and check the properties for the 
drive; the most likely explanation is that 
the drive is formatted using the FAT32 file 
system, or you’re looking at a CD-ROM, 
which uses the CDFS file system. The 
Security tab is visible only on NTFS drives. 


You've made changes, but the check 
marks disappear. This situation occurs in 
Windows XP and usually isn’t a problem at 
all. If you set permissions and apply them 
to anything other than the default location 
—This Folder, Subfolder, And Files— 
Windows adds a check mark in the Special 
Permissions box. When you view 
permissions for a folder, this check box is at 
the bottom of the Permissions list; you 
have to scroll down to see it. You can view 
the applied permissions by clicking the 
Advanced button, selecting the user or 
group, and clicking the Edit button. 


Permission settings are unavailable. 
Check your user account rights. You must 
be logged on as a member of the 
Administrators group or be the owner of an 
object in order to set its permissions. These 
settings are also unavailable on objects 
stored in some protected system folders, 
including certain subfolders within the 
Program Files folder that are created during 
Windows Setup. If the selected object is 


inheriting its permissions from a parent 
folder you must remove the inheritance 
before you can set custom permissions. 


Setting NTFS Permissions Using Command- 
Line Utilities 


Cacls.exe, a command-line utility available in all 
versions of Windows XP and Windows 2000, provides 
another way to view and edit permissions. With Cacls 
(short for “Control ACLs”), you can view existing 
permissions on files and folders by typing cacls 
filename at a command prompt (where filename is 
the name of the file or folder whose permissions you 
want to inspect or change). You can also change 
permissions on files and folders by appending the 
appropriate switches and parameters to the end of the 
command line. If you’re working at a command line 
and you type cacls, you see the syntax for the 
command. 


Use wildcards as a shortcut 


The Cacls utility accepts conventional 
wildcard characters as arguments, including 
* and ?, making it easy to quickly view or 
change permissions on a group of files from 
the command line. Use *.* to apply the 
command to all files in the current 
directory, for instance. You can also narrow 
down the effect of the command by using 
wildcards with the filename argument; if 
you use the command cacls *.doc, for 
instance, followed by the correct switches, 
you can apply Read & Execute permissions 
to all Word documents currently stored in a 
specific folder for a specific group of users, 
while still allowing those users to open, 
edit, and save changes to other types of 
documents in that location. One little- 
known wildcard, the single period that 
stands for the current directory, is 


especially useful with the Cacls command. 
To see the permissions for the current 
folder without having to type its full name 
and path, add a space and a period (cacls.) 
after the command. 


When you view permissions with Cacls, you see a brief 
list of ACEs for every file or folder that makes up the 
filename argument. Each ACE includes the user 
account name and a single letter for any of three 
standard permission settings: F for Full Control, C for 
Change (equivalent to the Modify option on the 
Security tab), R for Read (equivalent to Read & 
Execute permission). In addition, any permissions that 
are applied through inheritance from a parent folder 
get a separate listing in the Cacls output. Any other 
combination of settings from the Security tab or the 
Advanced Security Settings dialog box generates a list 
of individual special permissions that will send you 
scrambling to Windows Help and Support for an 
explanation. 


Cacls is useful for quickly determining the permissions 
for an object without having to drill down through 
multiple dialog boxes. If you’re comfortable working in 
a Command Prompt window, it’s never more than a 
few keystrokes away. If you’re an administrator, 
especially if you’re responsible for computers running 
Windows XP Home Edition, it’s an indispensable part of 
your toolkit. 


Get a more powerful permission tool 


If you like Cacls, you'll love Xcacls. As the 
name suggests, it’s an extended version of 
the basic utility included with Windows 
2000 and Windows XP. Xcacls allows you to 
set all file permissions that are accessible 
through Windows Explorer, including special 
permissions, on directories (folders) as well 
as on files. This utility is included in the 
Support Tools collection found on the 
Windows XP CD in 


\Support\Tools\Support.cab. Windows 2000 
users can download it from 

http://www. microsoft.com/windows2000/te 
chinfo/reskit/tools/existing/xcacls-o.asp. 


In addition to viewing access control settings, you can 
also set permissions with Cacls. In fact, in Windows XP 
Home Edition, this utility provides the only way to 
adjust individual permissions without restarting in Safe 
Mode. Use the switches listed in Table 5-3 to modify 
the effects of Cacls. 


Table 5-3. Command-Line Switches for Cacls.exe 


Switch What It Does 


/T Changes the permissions of specified 
files in the current directory and all 
subdirectories 


/E Edits the access control list instead of 
replacing it 
/C Continues to work on additional files 


even if you receive one or more 
“Access Denied” errors; without this 
switch, execution stops on the first 
such error 


/G Grants the specified user access 
user:perm rights; if used without /E, completely 
replaces the existing permissions 


/R user Revokes the specified user’s access 
rights (must be used with /E) 


/P Replaces the specified user’s access 
user:perm rights 


/D user Denies access to the specified user 


For the /G and /P switches, use one of the following 
four letters to replace the perm placeholder: 


e F (for Full Control) is equivalent to 
selecting the Allow check box next to Full 
Control on the Security tab. 


e C (for Change) is equivalent to selecting 
the Allow check box for Modify. 


e R (for Read) is equivalent to selecting 
the Allow check box for Read & Execute. 


e W (for Write) is equivalent to selecting 
the Allow check box for Write. 


Note that you can use wildcards to specify more than 
one file in a command. You can also specify more than 
one user in a command. For instance, if you've created 
a subfolder called Archives in the Shared Documents 
folder and you want Carl to have Full Control 
permission and Ed to have Read & Execute permission 
in that folder, open a Command Prompt window, 
navigate to the Shared Documents folder, and type the 
following command: 


cacls archives /g carl:f ed:r 


If you then decide to revoke Ed’s access rights and 
give Read & Execute permission to the Administrators 
group, you can type this command: 


cacls archives /e /r ed /g administrators:r 


Just because you can set permissions with 
Cacls doesn’t mean you should. It’s easy to 
make a mistake that causes you to lose the 
existing permissions on a file. If you're 
using Windows XP Professional, there’s no 
reason to use Cacls to set permissions. If 
you're using Windows XP Home Edition, try 
the Cacls command on a test folder first to 
ensure that your settings have the desired 


effect before you use this command on your 
actual working files. 


Applying Permissions to Subfolders 
Through Inheritance 


In addition to permissions that are set by a user or by 
a program (including Windows Setup), files and 
subfolders can inherit permissions from a parent 
folder. By default, any new permissions you assign to a 
folder are passed on to its subfolders as well. Thus, 
when you set permissions for your Accounting folder 
specifying that only you and your office manager have 
Full Control permissions for the contents of that folder, 
any new subfolders you create in that location inherit 
those permissions. You can explicitly remove inherited 
permissions from an object; you can also apply 
permissions to an object and specify that those 
permissions are not to be inherited by subfolders. 


Under some circumstances, you might want to prevent 
permissions from being inherited by changing the 
inheritance options for a folder. In other cases, you 
might choose to break the link between a subfolder 
and the permissions it inherited from its parent folder, 
allowing you to explicitly define permissions for the 
subfolder. 


To see the inheritance options for a selected folder, 
right-click the folder icon, choose Properties, click the 
Security tab, and then click the Advanced button. 


With Windows 2000, an extremely subtle difference in 
the shading of the key icon used in each permission 
entry is your only clue that an entry is inherited. As 
you scroll through each item in the Access Control 
Settings dialog box, the text at the bottom discloses 
whether its permissions have been inherited from a 
parent folder or have been defined directly, as shown 
in the example in Figure 5-4. 


“-Figure 5-4. Shading on the key icon to the left 
of a permission entry indicates that the permission 
has been inherited rather than defined directly. 


By contrast, the Advanced Security Settings dialog box 
in Windows XP Professional makes it easy to identify 


inherited permissions. The Inherited From column in 
the Permission Entries list shows the parent folder 
from which a given set of permissions is inherited. In 
the example shown in Figure 5-5, the Users group 
inherits Read & Execute permissions from the access 
control list on the root folder of drive F, whereas the 
Modify permissions assigned to the Power Users group, 
designated as <not inherited>, have been applied 
directly on this folder. 


Figure 5-5. Before you can change or remove 
permissions inherited from a parent object, you 
must break the inheritance. 


In this example, the inherited permissions make it 
possible for any user with a limited account to read the 
contents of the folder. If your goal is to lock out limited 
users and allow only members of the Power Users and 
Administrators groups to access the selected files, you 
must first remove the inherited permissions. To do so 
in Windows XP, clear the option labeled Inherit From 
Parent The Permission Entries That Apply To Child 
Objects. (In Windows 2000, the corresponding check 
box is labeled Allow Inheritable Permissions From 
Parent To Propagate To This Object.) As soon as you 
clear this check box, you see the following dialog box, 
which warns you to specify how you want to reset the 
permissions on the selected folder. (In Windows 2000, 
your choices are the same, although the accompanying 
explanatory text differs slightly.) 


“-Choose one of the following three options: 


e Copy. This option copies the permissions 
from the parent folder to the current file 
or folder and then breaks the inheritance 
link to the parent folder. After choosing 
this option, you can adjust the 
permissions to suit your security needs. 


e Remove. This option completely 
removes the inherited permissions and 
keeps only the permissions that are 
currently assigned to the file or folder 


directly. In some cases, this results in an 
object that has no permissions and is 
thus inaccessible to anyone until the 
owner changes the permissions. If you 
click OK to make this change, Windows 
warns you with this dialog box: 


“Cancel. This option closes the dialog 
box and leaves the inheritance options 
intact. 


When you remove inherited permissions from a folder, 
the folder becomes a new parent object. By default, 
any permissions you assign to this folder ripple down 
the hierarchy of subfolders and to files within those 
subfolders as well. 


Normally, inheritance of permissions simplifies the task 
of administering security settings on a computer. If 
you designate a set of custom permissions for a folder, 
you can count on those permissions cascading down to 
subfolders and files stored in the same location and 
rest assured that that data is accessible only to users 
and groups who have permission. In some specific 
scenarios, however, you might want to apply two or 
more sets of permissions to the same folder for the 
same group, with each set of permissions having 
different inheritance settings. When you create a set of 
permissions for a user or group, you can specify that 
those permissions apply to the current folder, to files 
within that folder, or to subfolders. You can also 
choose any combination of these three options, setting 
one group of permissions that apply to This Folder and 
another set to Subfolders And Files for the same user 
or group. 


What Happens to Permissions When You 
Copy or Move Files? 


After you painstakingly set permissions on a group of 
folders to restrict access, you might be surprised to 
see that files you move or copy take on new 
permissions. Under some circumstances, in fact, 
double-clicking a file or folder icon can result in an 
“Access Denied” error message, even when the user in 
question has been granted Full Control permission in 
the current folder. 


To understand why this problem occurs, you need to 
understand what happens when you move or copy files 
or folders from one location to another. During the 
move or copy operation, the permissions on the files 
or folders can change. Windows 2000 follows a strict 
set of rules when applying permissions during a move 
or copy operation. Windows XP applies the same rules 
when Simple File Sharing is disabled but uses a 
different set of rules when Simple File Sharing is 
enabled. 


When the Windows 2000-style rules are followed, 
you'll encounter the results listed here; note that the 
results depend on whether you’re moving or copying 
the object and whether the destination is on the same 
drive (as indicated by the drive letter) or on a different 
drive: 


When you copy a file or folder to an NTFS drive... 
The newly created object takes on the permissions of 
the destination folder, just as if you had created the 
object from scratch. The original object retains its 
permissions. This is true whether the destination is on 
the same NTFS drive as the original file or on a 
separate NTFS drive. You become the Creator Owner 
of the new file or folder, which means that you can 
change its permissions. 


When you move a file or folder within a single 
NTFS drive... The moved object retains its original 
permissions and you become the Creator Owner. If you 


move a file from a highly restricted location on drive C 
to your Shared Documents folder on drive C, whose 
ACL allows access to a wider group of users, the file 
remains restricted to the original, smaller group of 
users. 


When you move a file or folder from one NTFS 
drive to another... The moved object picks up the 
permissions of the destination folder and you become 
the Creator Owner, as if you had copied the object to 
its new location and then deleted the original. If you 
move a file from a restricted folder on drive D to your 
Shared Documents folder on drive C, the file is 
available to everyone with access rights to the Shared 
Documents folder. 


When you copy or move a file or folder from a 
FAT32 drive to an NTFS drive... The newly created 
object picks up the permissions of the destination 
folder and you become the Creator Owner. 


When you copy or move a file or folder from an 
NTFS drive to a FAT32 drive... The moved or copied 
object in the new destination loses all permission 
settings because the FAT32 file system is incapable of 
storing these details. 


With Simple File Sharing enabled on Windows XP, 
these rules change in a subtle but significant way. 
When you move or copy files or folders from a folder 
you've made private to any other location on an NTFS 
volume, the moved or copied objects take on the 
security attributes of the destination folder—in most 
cases, that means they’re freely available to all other 
users. When you drag a file out of your private My 
Documents folder and drop it in the Shared Documents 
folder, for instance, that file is accessible to all other 
users of the local computer. Conversely, when you 
move a file from the Shared Documents folder into 
your private My Documents folder, it becomes a 
private file accessible only to you. It doesn’t matter 
whether you move or copy the file; Simple File Sharing 
always adjusts permissions to match the destination. 


In one particular set of circumstances, you might drag 
one or more files or folders from your My Documents 
folder to the Shared Documents folder, only to discover 
that other users are unable to access the file. This 
problem occurs if the following conditions apply: 


e The drive that contains the Documents 
And Settings folder is formatted using 
the NTFS file system. 


e You’ve made your entire user profile 
private (as you were prompted to do 
when you added a password to your 
account). 


e You've disabled Simple File Sharing. 


Because both locations are on the same NTFS- 
formatted drive, dragging any file or folder from your 
user profile to the Shared Documents folder moves the 
selected object without changing its access control list. 
As a result, other users can see the icon for the file or 
folder but are greeted with an “Access Denied” error 
message when they double-click it. Frustrating, isn’t 
it? The solution to this dilemma is simple. If you’ve 
disabled Simple File Sharing, never move a file from 
your personal profile to a shared location. Instead, get 
in the habit of copying the file. The new copy inherits 
the permissions from the destination folder (Shared 
Documents) and is therefore available to every user. 
After copying the file or folder, you can safely delete 
the original from your private folder. 


File permissions can behave unexpectedly in several 
other circumstances as well. For example, if you use 
the Move command from a command prompt when the 
source and destination folders are on the same drive 
but have different permissions, the moved file will 
retain its old permissions. 


How to Break into Files and Folders When 
You Don’t Have Access Rights 


As we pointed out in Chapter 1, physical security is an 
absolute prerequisite for effective file and folder 
security. That fundamental principle means that 
anyone with time, a modest amount of computer 
smarts, and physical access to your computer can 
break the permissions you set on files and folders 
using NTFS-based access controls. In fact, any user 
who is a member of the Administrators group on your 
computer can gain access to your files and folders by 
taking ownership of those files. Mind you, we’re not 
suggesting that you use these tactics to violate 
another person’s privacy. But knowing how to forcibly 
take over ownership of a group of files can come in 
handy in some perfectly legitimate circumstances—if 
your Windows system files become corrupted and you 
reinstall Windows, you will be able to access the data 
in your user profile only by taking ownership of the file 
using your new security credentials. 


Every file or folder on an NTFS volume has an owner, 
who in turn has the right to allow or deny permission 
for other users and groups to access the file or folder. 
As owner, you can lock out every other user, including 
all members of the Administrators group. (That’s how 
the Make This Folder Private option works—by 
removing the Administrators group from the ACL for a 
user’s profile folder.) 


One of your rights as owner is the ability to turn over 
responsibility for a file or folder to another user. You 
can accomplish that task directly by changing the 
owner of the object to another user, a strategy that 
works only if the other user is a member of the 
Administrators group. If the other user has a limited 
account, you can change the ACL for the object and 
allow the other user to take ownership of the object; 
the easiest way to accomplish this goal is to give the 
other user Full Control permission. In addition, any 
member of the Administrators group can take 


ownership of any file or folder, with or without your 
knowledge, although he or she cannot transfer 
ownership to another user. 


Turning over the ownership of a file or folder makes 
sense when you want someone else to be responsible 
for setting permissions for that object. To ensure a 
smooth transition of power, use one of the following 
techniques: 


e If you’re the owner of the object, follow 
these steps: 


1. Right-click the file or folder 
icon and choose Properties. 


2. On the Security tab, click 
the Advanced button to 
open the Advanced 
Security Settings dialog 
box (Windows XP) or the 
Access Control Settings 
dialog box (Windows 2000) 
for the file or folder. 


3. Click the Owner tab. As the 
example in Figure 5-6 
shows, this dialog box 
displays the user name of 
the current owner. You can 
transfer ownership to any 
user or group in the list, 
which typically includes the 
Administrators group. 


“-Figure 5-6. The list 
of names in the 
Change Owner To box 
includes all members 
of the local 
Administrators group. 


4. If the selected object is a 
folder and you want your 


change to apply to all files 
and subfolders within that 
folder, select the Replace 
Owner On Subcontainers 
And Objects check box. 
(This option is unavailable 
if the selected object is a 
file icon.) 


5. Select a name from the 
Change Owner To list and 
click OK. 


e If you’re an administrator, you can take 
ownership directly. Open the Advanced 
Security Settings dialog box (Windows 
XP) or the Access Control Settings dialog 
box (Windows 2000) for the selected 
object, click the Owner tab, and choose 
your own name from the Change Owner 
To list. 


e If you’re not an administrator, you must 
first be explicitly granted the right to 
take ownership of a file or folder. Ask the 
current owner or any member of the 
Administrators group to add your 
account to the ACL for the file or folder 
and give you the Take Ownership 
permission. You can find this permission 
at the bottom of the list of special 
permissions available by clicking Edit on 
the Permissions tab of the Advanced 
Security Settings dialog box. It’s also 
included as part of the Full Control basic 
permission. 


Ultimately, the ability of an administrator to take 
ownership of files and folders means that you cannot 
count on absolute privacy for any files stored on an 
NTFS drive unless you use additional means (such as 
encryption) to protect them. No matter how securely 
you lock up unencrypted files, an administrator can 


break the lock by taking ownership of the files. This is 
a brute-force solution, however, and it’s not something 
that can be easily hidden. If you’re concerned about 
security and you want to monitor changes in 
ownership of file-system objects, configure your 
system so that Take Ownership events in a particular 
location are audited. You'll find step-by-step 
instructions in Auditing Security Events. 


Keep an eye on temporary files 


Restricting access to the files and folders in 
your user profile is a good first step, but 
don’t overlook other locations where copies 
of personal files can appear. Word 
processing programs, for example, often 
create temporary files or automatically save 
backups of documents as you edit. If these 
copies are stored in an insecure location, 
such as a shared folder used for storing 
temporary files, another user could browse 
through your work and uncover details that 
you would prefer remain hidden. Make sure 
you know where temporary files are being 
stored. For security’s sake, this location 
should be in your user profile, where you 
can keep it secure and delete files as 
needed. 


Locking Up Personal 
Documents 


As personal computers insinuate themselves ever 
more deeply into the details of our daily lives, the 
need to protect personal data files becomes 
increasingly important. Even if you think your life 
is absolutely unexceptional, you might be 
surprised at the amount of confidential 
information stored on your computer—from 
medical records to credit card numbers to 
passwords that unlock your bank account. If you 
believe your personal files are no one else’s 
business, make certain they’re stored under a 
virtual lock and key. The exact procedures for 
securing their storage vary, depending on which 
version of Windows you’re using. 


Making a Folder Private with Windows 
XP 


If you use either Windows XP Home Edition or 
Windows XP Professional, any files you store in 
your personal profile (including the entire 
contents of your My Documents folder) are 
normally accessible to any user who logs on to a 
computer with an account in the Administrators 
group. Because Windows XP assigns every new 
account to the Administrators group by default, 
the practical effect is that you cannot be certain 
your personal files are protected unless you 
specifically exercise the option to make them 
private. 


Figure 5-7, for instance, demonstrates how 
Windows XP routinely makes each user’s personal 
documents accessible to other users of the same 
computer. In this example, the current user has 
logged on using an account in the Administrators 
group. When she opens the My Computer folder, 
she sees a separate folder icon representing the 
My Documents folder for each user who has an 
account on that computer. As an administrator, 
she can open, delete, change, and add files in 
any of those folders. 


“-Figure 5-7. Because Katie is logged on as 
a member of the Administrators group, she 

has full permission to work with Greg’s and 

Bianca’s files. 


By contrast, a user with a limited account sees 
only his or her personal documents folder in the 
My Computer window. Any limited user who tries 
to browse another user’s personal files by 
opening Windows Explorer and navigating to that 
user’s profile in the Documents And Settings 


folder will see an “Access Denied” error message. 
Thus, if yours is the only administrator account 
on a given computer and all other users have 
limited accounts, you can safely store your 
personal files in your My Documents folder, 
without having to worry about making them 
private. However, if your computer’s local 
accounts database includes more than one 
account in the Administrators group, making your 
personal folders private is essential. 


At first glance, protecting your personal files from 
unauthorized access is a simple, straightforward 
task that involves selecting a single check box. In 
practice, however, this option is deceptively 
complex. If you’re not careful, you could end up 
with less protection than you bargained for. 
Here’s what you need to know about using the 
Make This Folder Private option in Windows XP: 


e The disk on which your personal 
profile is stored must be formatted 
using the NTFS file system. As we 
pointed out earlier, the Make This 
Folder Private feature performs its 
magic by adjusting NTFS 
permissions; it is therefore 
unavailable on a disk formatted 
using the FAT32 file system. 


e The Make This Folder Private option 
is available only if you have Simple 
File Sharing enabled. Ona 
computer running Windows XP 
Home Edition, Simple File Sharing 
cannot be disabled. On a computer 
running Windows XP Professional 
that is joined to a Windows domain, 
Simple File Sharing is not available 


at all. If your computer is running 
Windows XP Professional in a 
stand-alone or workgroup 
configuration, Simple File Sharing is 
an option. 


e Your user account must be 
protected with a password. 
Although you can choose the Make 
This Folder Private option after 
logging in with an account that has 
a blank password, the option is 
meaningless without a password to 
protect the account because any 
user can then log on using that 
account. If you attempt to make a 
folder private and your account is 
not protected with a password, 
Windows XP prompts you to create 
a password, as shown here: 


-The Make This Folder Private 
option is available only for your 
user profile and its subfolders. You 
cannot select this check box for any 
other folder, including those in 
another user's profile. 


Get easy access to profiles 


To quickly view the entire contents of 
your personal profile in Windows 
Explorer, take advantage of the 
%UserProfile% system variable. To 
see the common locations that are 
available for all users of the current 
computer, use the system variable 
%AllUsersProfile%. Type either value 
(including the percent signs) ata 


command prompt and press Enter to 
work directly with the selected profile; 
or create a shortcut with either of 
these variables as the target and save 
it on the shared desktop 
(%AllUsersProfile%\Desktop). 


e Making a folder private makes all 
files in that folder and all its 
subfolders inaccessible to other 
users. When Simple File Sharing is 
enabled, you cannot selectively 
grant or deny access on a file-by- 
file basis using the Windows 2000- 
style user interface. (You can work 
around this restriction in Windows 
XP Home Edition, however, if you're 
willing to boot into Safe Mode 
temporarily or tinker with the Cacls 
command-line utility; for details, 
see Viewing_and Changing NTFS 
Permissions. ) 


e You can reverse the decision to 
make a folder private by clearing 
the Make This Folder Private check 
box. Using this option resets the 
permissions on the selected folder, 
on all its subfolders, and on all files 
contained in that location. 


In technical terms, the Make This Folder Private 
option performs a simple adjustment of NTFS 
permissions. Normally, for each user’s profile on 
an NTFS volume, Windows XP grants Full Control 
access permissions to the user account that owns 
that profile, to the System account, and to the 
Administrators group. Selecting the Make This 
Folder Private option removes the access control 


entry for the Administrators group, leaving only 
the owner and the System account with access. 


The easiest way to make your entire user profile 
private is to let Windows XP do it. After you 
create a password for a user account, Windows 
XP presents the dialog box shown in Figure 5-8. 
Click the Yes, Make Private button to change the 
access permissions on your entire user profile. 


“-Figure 5-8. Choose the Yes, Make Private 
option to restrict access to all files in all 
subfolders in your user profile. 


Don’t be fooled by the text in this dialog box, 
however, which is at least misleading and 
arguably just plain wrong. The explanatory text 
claims that making your files private “will prevent 
users with limited accounts from gaining access 
to your files and folders.” In fact, as we’ve 
pointed out, users with limited accounts are 
already locked out of your personal files and 
folders. Clicking the Yes, Make Private button will 
prevent all users, including those with accounts in 
the Administrators group, from accessing your 
files and folders. 


Restore the Make This Folder 
Private option 


If you elected not to make your 
personal files private when you first 
assigned a password to your account, 
what should you do if you change your 
mind later? You could open Windows 
Explorer and browse to the 
Documents And Settings folder, which 
contains the user profile for each user 
who has logged on to the local 
computer. Right-click the icon for your 
user account, choose Sharing And 


Security, and then select the Make 
This Folder Private option. As an 
alternative, you can visit the User 
Accounts option in Control Panel and 
replace the password assigned to your 
account. Don’t use the Change My 
Password option; instead, first choose 
Remove My Password and then create 
a new password. As the final step in 
the process, Windows XP checks the 
permissions on the root folder of your 
personal profile (typically 
C:\Documents And 
Settings\username); if it detects that 
the Make This Folder Private option is 
not selected, it displays the dialog box 
shown in Figure 5-8. 


For maximum security, you should protect your 
entire user profile. Because the setting applies to 
all subfolders, choosing this option automatically 
protects not only your My Documents folder but 
also the folders used to store personal settings 
and application data, including Microsoft Internet 
Explorer cookies and history files, Microsoft 
Outlook Express messages, data files on your 
desktop, and shortcuts to documents you've 
viewed or edited recently. Any of these locations 
can disclose personal information that you might 
prefer not to reveal; for instance, anyone who 
looks in the Recent subfolder in your personal 
profile could see that you recently edited two 
Word documents called Employment 
Application.doc and Draft of Resignation 
Letter.doc. Even if such visitors were unable to 
open the files to which those shortcuts point 
(either because you deleted them or because 
they’re stored in a protected folder), they could 


safely surmise from the document titles that 
you're thinking of leaving your current job. 
Protecting your personal profile can also prevent 
inadvertent damage from a nosy and careless 
user who accidentally deletes important files 
while poking around in these locations. 


In one specific circumstance, you might decide to 
selectively protect individual subfolders within 
your personal profile. If your local computer’s 
accounts database includes two or more trusted 
users who are members of the Administrators 
group and at least one limited user, you can 
selectively use private folders to creatively 
manage access. On a shared office computer, for 
instance, where the business owner and the 
office manager are each members of the 
Administrators group and temporary workers 
have limited accounts, you could set up three 
default locations for storing data files, each with a 
different level of access: 


e Folders in your personal profile that 
you do not make private are 
accessible to other members of the 
Administrators group. If the boss 
creates an Accounting subfolder in 
her My Documents folder and does 
not make it private, the office 
manager has ready access to that 
folder as well, with everyone else 
locked out. 


e Any folder in your personal profile 
that you make private is accessible 
only to you. Thus, the boss can 
safely store confidential 
correspondence with her attorney 
by creating a Legal subfolder in her 


My Documents folder and making 
that folder private. 


Files in the Shared Documents 
folder can be opened by any 
authorized user of your computer, 
even if they have a limited account. 
This is the appropriate place to 
store brochures, advertising copy, 
and routine correspondence for any 
office worker to view and edit. 


If you’re aware of the security risks and decide 
that you want to be selective about which folders 
you make private, follow these steps: 


1. From any command prompt 
(including the Run dialog box), 
enter the command 
%userprofile%. A window opens, 
listing the contents of your user 
profile. 


2. If the Application Data folder is not 
visible, choose Tools, Folder Options 
and select the Show Hidden Files 
And Folders option on the View tab. 


3. Right-click the Application Data 
folder and choose Sharing And 
Security. Select the Make This 
Folder Private option, and then click 
OK to change the permissions for 
that folder. 


4°"Repeat step 3 for any other 
subfolders that you want to make 
private. Do not use this option on 
the My Documents folder. 


5. Double-click the My Documents 
folder and repeat Step 3 for any 
subfolders that you want to make 
private. 


Unfortunately, selectively applying the option to 
make individual folders private is cumbersome, 
and it has one serious drawback: There is no 
simple way to indicate which folders are private 
and which are public. If you choose this strategy, 
we recommend that you use a folder-naming 
scheme that clearly indicates which folders are 
private. For instance, you might add a single 
private subfolder in your My Documents folder, 
giving it a descriptive name such as My Private 
Files; you can then organize your private files 
using subfolders in that location. 


Protecting Personal Files in Windows 
2000 


If you use Windows 2000, your personal files are 
stored by default in your user profile. Just as in 
Windows XP, the default permissions give each 
user full control over his or her profile folders, 
with the System account and the Administrators 
group also getting Full Control permissions. 


Unlike Windows XP, Windows 2000 does not 
include a one-click option that allows you to 
make your files private. You can accomplish the 
same goal manually, however, by removing the 
Administrators group from the ACL for your user 
profile folder, using the technique described in 
Setting NTFS Permissions Through Windows 
Explorer. 


Encrypt files for maximum 
protection 


The ability of administrators to take 
ownership of files and folders makes 
NTFS access controls a less-than- 
foolproof solution for protecting truly 
sensitive documents. If you absolutely 
must store confidential information on 
a computer that other persons can 
access, make sure to encrypt it so that 
even if other users can gain access to 
the files, they can’t read the contents. 
The Encrypting File System in 
Windows 2000 and Windows XP 
Professional offers excellent 
protection; third-party software 
utilities also allow you to scramble 
files so that only you can decode 
them. For a full discussion of this 


powerful capability, see Chapter 18, 
“Encrypting Files and Folders.” 


Sharing Documents Securely on a Multiuser 
Computer 


Windows XP sets aside a group of folders that allow users to share documents 
with one another. The Shared Documents folder has its own icon in the My 
Computer window for all users who log on to the local computer. By default, 
the Shared Documents folder and its subfolders are located in the All Users 
profile (on a default setup, the path is C:\Documents And Settings\All Users). 
Members of the Administrators group have Full Control permissions for this 
folder and all its subfolders. Members of the built-in Power Users group 
(available only in Windows XP Professional) have all rights except the ability to 
change permissions or take ownership of files in this folder. Finally, those with 
limited accounts (members of the built-in Users group) can read and open files 
in the Shared Documents folder and can create new files, but they can modify 
or delete an existing file only if they are the file’s owner. 


On systems running Windows 2000, the C:\Documents And Settings\All Users 
folder exists, but its properties are subtly different. Under a default setup, you 
won't find an easy shortcut to reach this location, and its permissions are 
slightly more restricted, giving members of the Power Users and the Users 
groups the same limited rights for files created by other users. 


Creating Shared Document Shortcuts in Windows 2000 


Although Windows 2000 doesn’t include easy access to the Shared 
Documents folder through the My Computer window, as Windows XP 
does, you can add this feature in one of two ways. The simple 
solution is to create a shortcut that allows all logged-on users to 
access the All Users\Documents folder from the desktop or the Start 
menu. Begin by opening an Explorer window and entering 
%allusersprofile% \desktop in the Address bar. Point to any 
empty space in the folder pane, right-click, and choose New, 
Shortcut. In the Create Shortcut Wizard, enter 

%allusersprofile% \documents as the location of the item and 
Shared Documents as the shortcut name. The resulting shortcut 
appears on every user’s desktop. To add an identical shortcut to the 
Start menu, right-click the Start button, choose Open All Users, and 
use the New Shortcut Wizard (or copy the shortcut from the desktop 
to the All Users\Start Menu folder). 


A much more elegant (but also more complex) solution is to 
customize the My Computer namespace, the section of the registry 
that controls which icons appear in the My Computer window. Doing 
so turns the All Users\Documents folder into a system folder, like 
other objects in My Computer. You could make the changes 
manually, by calling up Registry Editor and adding a half-dozen keys 
and accompanying values, but it’s much easier to create a text file, 
save it with the .reg extension, and then double-click to import 
those values. (You'll find a copy of this and other handy files on the 
CD that accompanies this book, in the Author Extras folder.) 


wa 


; CreateSharedDocumentsNameSpace. reg 
;Creates a Shared Documents icon in the My Computer windo’ 
for Windows 2000 


Ne 


Windows Registry Editor Version 5.00 


[HKEY CLASS 


ES _ROOT\CLS!1 


@="Shared Documents" 


[HKEY CLASS 


ES ROOT\CLS!1 


[D\ {59031a47-3£72-44a7-89c5-5595fel 


\Defaultic 


@="C:\\WINNT\\system32\\SHI 


on] 


[D\ {59031a47-3£72-44a7-89c5-5595fel 


DHE e ee DLL, 420 


[HKEY CLASSI 


\InProcServer32] 


S ROOTYCILSIDY159091a47=3; 


£72-44a7-89c5-4595fel 


@=hex (2) :25,00,53,00,79,00,73,00, 74,00,65,00, 6d,00,52,00, 


Gt, 00, 74,00,25, 00,56, 00, 73,00, 79,00, 73,00, 74700; ERIMI 


33,00, 32,00, 5€; 00, 53,00,48, 00,45, 00,46; 00, 4e, 00 , ERFIR 
25,00, 64,00, 66,00, 66; 00; 00; OC 
"ThreadingModel"="Apartment" 


[HKEY CLASSES ROOT\CLSI 


\Shell] 


[HKEY CLASSI 


ES BOOTVCTS UD \ 590s la47 a4 


\Shell\Open Shared Documents] 


[HKEY CLASSI 


Users\\Doc 


[HKEY CLASSI 


\ShellEx] 


[HKEY 


CLASSES 


TS ROOT\CLSIDIS90391a47=3i 
\Shell\Open Shared Documents\Command] 
@="explorer /root,\"C:\\Documents And Settings\\Al1] 
uments 


IS ROOUVCLSID\1 5903 bad 734 


_ROOT\CLSID\ 15905124723 
\ShellEx\PropertySheetHandlers] 


[HKEY_CLASSES 


ROOT\CLSID\ {59031a47-3£72- 


[D\ {59031a47-3! 


ic 12> 


£72-44a7-89c575595fe 


£72-44a7-89c5-4595fel 


£72-44a7-89c5-4595fel 


£72-44a7-89c5-4595fel 


a7-89c5-54595fel.|’ 


a7-89c5-4595fel|’ 


\ShellEx\PropertySheetHandlers\ {59031a47-3£72-44a1-89c5- 
5595fe123456}] 


[HKEY CLASSI 


"Attributes"=hex:00,00,00,00 


Explorer\MyComput 
5595re1l234567] 


@="Shared Documents" 


(If you type this file yourself, note that the indented lines should be 
typed as part of the line above instead of starting a new line.) 


This trick works by creating a globally unique ID (GUID), which is 
the incredibly long number that begins with 59031a47 and is used 
to represent the Shared Documents folder. If you choose to adapt 
this technique to add other items as system folders, be sure to 
change the GUID. (Changing the last six numbers will suffice.) 


IS ROOT\CLSIDY159091a47=9172—/4a7 -89C 5-5595fel 
\ShellFolder] 


[HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer 
ter\NameSpace\ {59031a47-3£72-44a7489c5- 


To create a Shared Documents icon on your desktop, edit the final 
entry in this file, replacing MyComputer with Desktop (or use the 
CreateSharedDocumentsOnDesktop.reg file found on the companion 
CD.) If you decide you want to remove the icon from your My 
Computer window, use RemoveSharedDocumentsNameSpace.reg, 
its companion registry file. This removal utility also comes in handy 
if you accidentally merge these registry entries into Windows XP and 
end up with two Shared Documents icons in your My Computer 
window! Don’t be fooled by the status message it displays: Although 
it warns that you’re about to add information to the registry, it does 
indeed remove the extra keys. 


For files and folders that you want to share with all users of a given computer, 
the Shared Documents folder is a suitable storage location. In other situations, 
however, you might want to create storage areas that are accessible to some 
but not all users, with differing levels of access for various users. You can 
accomplish this goal by managing NTFS permissions for the shared location. 
Carefully configured inherited permissions can be especially effective in an 
application of this sort. 


For instance, say that several workers in your office share a computer on which 
they create brochures and other documents using a desktop publishing 
program. All the members of the team have limited accounts, including your 
desktop publishing manager, Carl. You’ve set up a shared folder called Projects 
for use by everyone who has an account on the shared computer. In the main 
folder, you’ve stored a handful of templates that you want members of the 
team to use when creating new documents; you've also created a single 
subfolder for each project your team works on. Here’s what you want to 
accomplish: 


e Any user should be able to create a new document in any 
existing subfolder. 


e Any user should be able to create a new subfolder within an 
existing folder, but you want to prevent users from adding new 
subfolders within the top-level Projects folder. 


e A user should be allowed to change or delete any document he or 
she created. 


e Users should be able to open any document in any subfolder that 
was originally created by another user, but they must save their 
changes under a new name, leaving the original file intact. 


e Carl, your desktop publishing manager, should be able to modify 
or delete any project file created by any user. You don’t want to 
make him a member of the Administrators group, however, 
because that would give him too much access to other data 
stored on the same computer. 


To implement this scenario, start by giving the Administrators group and the 
System account full control over the folder, subfolders, and files. Next, give the 
Everyone group Read & Execute access to files within the top-level folder, with 
Read, Write & Execute permissions for subfolders. This allows users with 
limited accounts to open templates stored in the top-level folder but prevents 
the users from accidentally changing or deleting the templates. A limited user 
who tries to save a file in the top-level folder will see the error message shown 
here: 


.The more liberal set of permissions on subfolders allows users to create 
new files and modify previously saved documents in subfolders, but only if they 


created the files. Finally, you should assign Modify permissions to Carl. 


Applying these permissions requires several steps that go beyond the basic 
permissions available from the Security tab. After logging on as an 
administrator, you need to remove any inherited permissions by clicking the 
Advanced button and clearing the option labeled Inherit From Parent The 
Permission Entries That Apply To Child Objects. (In Windows 2000, the 
corresponding check box is labeled Allow Inheritable Permissions From Parent 
To Propagate To This Object.) Next, use the tools on the Security tab to add 
Full Control permissions for the Administrators group and for the System 
account. Add the Creator Owner account (Full Control) and your desktop 
publishing manager, Carl (Modify), to the list. Finally, add the Everyone group 
to the list (Read & Execute and Write permissions). 


All the permissions entered so far apply to the current folder and to all 
subfolders and files. To tighten permissions on the top-level folder, follow these 
steps: 


1. On the Security tab, click the Advanced button. 


2. In the Advanced Security Settings dialog box, select the 
permission entry for Carl and click Edit. 


3. In the Permission Entry dialog box, change the Apply Onto entry 
from its default setting (This Folder, Subfolder And Files) to 
Subfolders And Files Only. Click OK to save the permission and 
return to the Advanced Security Settings dialog box. 


4°-Repeat steps 2 and 3 for the Creator Owner and Everyone 
entries. 


5. In the Advanced Security Settings dialog box, click the Add 
button and enter Everyone in the Select User Or Group dialog 
box. Click OK. 


6. The Permission Entry dialog box opens automatically. In the 
Apply Onto list, choose This Folder Only, and then select the 
following options: Traverse Folder/Execute File; List Folder/Read 
Data; Read Attributes; Read Extended Attributes; Read 
Permissions. Click OK to save the permission. Note that a second 
entry for the Everyone group now appears. 


7. Click OK to close the Advanced Security Settings dialog box. 


The resulting set of permissions should look like the one shown in 
Figure 5-9. 


“Figure 5-9. Note the two permission entries for the 
Everyone group; entering the second set of permissions 
requires that you select five individual permissions from the 
Advanced Security Settings dialog box. 


Restricting Access to Programs 


When you’re wearing your administrator’s hat, 
you might want to limit which programs users 
can run. Your motive might be productivity—in a 
small office, you might not want your employees 
to spend their day playing FreeCell or Pinball. Or 
you might decide to restrict access to programs 
in the interest of system stability. After all, once 
you have your computer running smoothly, the 
last thing you want is for someone else to install 
a poorly written program that drags down 
performance or causes unexplained crashes. 


The good news is that you can prevent 
cooperative users from installing untrusted or 
insecure applications. The bad news is that an 
uncooperative user can almost always find a way 
to work around any restrictions you impose. 
Ultimately, your best chance for success is to 
educate users in the risks of installing 
unauthorized software. 


If you’re determined to protect your computer 
from unauthorized software, the most important 
step you can take is to give all users limited 
accounts. With this restriction in place, users can 
install only programs that meet Microsoft's 
“Designed for Windows XP” logo standards. Any 
application that tries to replace protected system 
files or tamper with registry settings outside the 
user’s personal profile will fail to install. In 
general, users with limited accounts will have a 
difficult time installing any software. 


In addition, you can try any or all of the following 
techniques: 


e Remove program shortcuts from 
the %AllUsersProfile%\Desktop and 
%AIllUsersProfile%o\Start Menu 
folders. 


e For programs that are installed in 
the Program Files folder (as the 
overwhelming majority of Windows- 
based applications are), change 
permissions on subfolders that 
contain programs you want to 
restrict. Remove the Everyone and 
Users groups from the list of 
available permissions, leaving only 
the Administrators group, the 
Power Users group (Windows 2000 
Professional and Windows XP 
Professional), and any users who 
should have access to that 
program. 


e Prevent users from opening a 
Command Prompt window, from 
which they can often launch a 
program. Look for the files Cmd.exe 
and Command.com, both of which 
are located in the 
%SystemRoot%\System32 folder. 
You can configure permissions on 
both of these files so that they can 
be executed only by administrators; 
or, if your users are relatively 
unsophisticated, you can simply 
rename the files. 


e With Windows XP Professional only, 
you can use Software Restriction 
policies to define lists of programs 
that are either allowed or 


prohibited. This powerful but 
complex tool is described in more 
detail in Microsoft Knowledge Base 
article Q310791, “Description of the 
Software Restriction Policies in 
Windows XP.” 


For more details about using Group 


Policy to restrict users, see Exploring 
Security-Related Policies. 


Restricting Access to the 
Registry 


On a computer running Windows, every 
configuration detail is stored in a large, 
supremely organized database, the Windows 
registry. Most of the time, you make changes to 
the registry indirectly, using check boxes, drop- 
down lists, and other elements in the user 
interface, to ensure that you don’t inadvertently 
enter the wrong data. Under some 
circumstances, however, editing the Windows 
registry directly is the only way to accomplish a 
particular task. To edit the registry safely, you 
need a basic understanding of how the built-in 
Windows Registry Editor works, as well as a 
healthy respect for the havoc that even a simple 
misstep can unleash. 


If you need a refresher course on the 
structure of the registry and how to 
use Registry Editor, we recommend 


that you read Chapter 28, “Editing the 
Registry,” in our previous book, 
Microsoft Windows XP Inside Out 
(Microsoft Press, 2001). 


You can prevent changes to individual registry 
keys and subkeys (but not to individual values) 
by editing the permissions for each such key. 
Registry permissions work like permissions 
assigned to shared resources or to files and 
folders on an NTFS drive; for each account or 
group, you can allow full control of a key, allow 
read access, deny access to the key, or set a 
bewildering array of special permissions. As we 


explain in this section, you can also lock out all 
access to the registry on a user-by-user basis. 


Handle registry permissions with 
care 


When it comes to protecting the 
registry, your worst enemy is a user 
who knows just enough to be 
dangerous. Web sites and popular 
magazines are filled with tips that 
encourage would-be Windows experts 
to tweak the registry in search of 
better performance or to work around 
restrictions imposed by an 
administrator. If you’re responsible for 
administering a computer and you find 
yourself doing constant battle with one 
such user, you might be tempted to 
lock him or her out of specific keys or 
branches using permissions. We don’t 
recommend this strategy because of 
the risk that your restrictions will 
result in unintended consequences 
that add to your support woes. Ina 
situation like this, you’re much better 
off educating the user about the 
problems that registry edits can 
cause. If you can’t reach a workable 
compromise, use the techniques we 
outline in this section to lock out the 
user’s access to registry editing tools. 


To adjust registry permissions, you must start 
with the correct tool. On a computer running 
Windows 2000, two registry editors are available. 
The easy-to-use Regedit.exe (also known as 
Registry Editor 5.0) allows you to search for keys 
and values and edit most data types. However, if 


you want to view and set registry permissions, 
you must run Regedt32.exe, with its distinctly 
old-fashioned interface. In Windows XP, this 
program is gone, replaced with Registry Editor 
5.1, which starts up when you enter regedit or 
regedt32 at any command prompt. 


From Windows 2000’s Regedt32 program (shown 
in Figure 5-10), you can access the Permissions 
dialog box by selecting a key or subkey from the 
window that contains its hive and then choosing 
Security, Permissions. 


“-Figure 5-10. Jo adjust permissions in the 
Windows 2000 registry, you must use the 
Regedt32 program. Note that each main 
branch (or hive) of the registry appears in its 
own window. 


On a computer running Windows XP, the new and 
improved Registry Editor utility lets you see the 
entire hierarchy in a single Explorer-style window, 
as shown in Figure 5-11. To view or change 
permissions, select a key or subkey, right-click, 
and choose Permissions from the shortcut menu. 


“-Figure 5-11. To adjust permissions in 
Windows XP, open Registry Editor, right-click 
the name of the key, and choose Permissions 
from the shortcut menu. 


Both Windows 2000 and Windows XP display 
registry permissions using a dialog box that 
should be comfortingly familiar to anyone who 
has worked with permissions for a shared folder 
or printer. 


Protect the registry from 
suspicious programs 


One noteworthy difference between 
the permissions assigned to a registry 


key and those assigned to files and 
folders is the presence of the 
Restricted security identifier (SID) in 
the Group Or User Names box for the 
HKEY_LOCAL_ MACHINE, 
HKEY_CURRENT_USER, and 
HKEY_USERS keys. On all these keys, 
the Restricted SID is limited to Read 
permissions; by contrast, members of 
the Administrators group have full 
control over these keys, and the 
Creator Owner of the 
HKEY_CURRENT_USER key has full 
control over that key. 


Although the Restricted SID is present 
on these registry keys in both 
Windows 2000 and Windows XP, this 
set of permissions has a practical 
effect only in Windows XP and is 
essentially ignored in Windows 2000. 
In Windows XP (Professional or Home 
Edition), you can launch a program by 
using the Run As command (right-click 
the icon for a program or shortcut and 
choose Run As from the shortcut 
menu). If you choose to run the 
program using the credentials of the 
current user, you can then select the 
Protect My Computer And Data From 
Unauthorized Program Activity check 
box. This option runs the program 
using your credentials but adds the 
Restricted token, which prevents the 
program from making any changes to 
the registry. This option is especially 
effective when you’re trying out a new 
program that is untrusted; by 
selecting this check box, you can 


safely run the program and see 
whether it generates any error 
messages or displays any unusual 
behavior. Avoid using this option with 
setup programs, which are almost 
always designed to make changes to 
the registry and will surely fail given 
the permissions assigned to the 
Restricted SID. 


Default permission settings in Windows XP and 
Windows 2000 do an excellent job of preventing 
limited users from damaging registry settings 
that affect the entire system. These users 
typically have Full Control permissions over 
portions of the registry that affect their own 
account (the HKEY_CURRENT_USER branch), 
allowing them to work with programs that install 
completely within their own profile. In addition, 
programs that use the Windows Installer for 
setup are able to install applications correctly, 
even when run from a limited user’s account. 
Problems arise, however, when a limited user 
needs to install or run a program that wasn’t 
written with Windows XP or Windows 2000 in 
mind. In that case, the user is likely to encounter 
an error message. The solution? Adjust 
permissions for specific keys and subkeys that 
affect the program, giving that user Full Control 
permissions over the necessary key, rather than 
the default Read permissions. 


Monitor changes to the registry 


How can you tell which registry keys 
and values are being accessed by a 
program or process? For best results, 
use any of several third-party utilities 
that monitor the registry and report 


activities to you. A pair of free utilities, 
FileMon and RegMon, developed by 
Mark Russinovich and Bryce Cogswell 
(http://www. winternals.com/products/ 
monitoringtools/monitoringtools.asp), 
help you identify exactly what’s 
happening on your computer in real 
time, monitoring changes to files and 
to registry settings. SmartLine 
Software’s shareware program Active 
Registry Monitor (http://www. protect- 
me.com/arm/), by contrast, takes 
before and after “snapshots” of the 
registry, allowing you to zero in on 
changes and experiment with different 
scenarios. Utilities such as these are 
essential when you’re trying to keep 
an eye on what's really happening 
beneath the covers of your computer. 


On a shared computer, you may decide that 
certain users should be denied all access to 
registry editing tools. To enforce the ban, you can 
use Group Policy, as described in Using the Group 
Policy Snap-In. Unfortunately, this solution 
cannot be applied easily to a single user but 
instead locks out all users—you included. If you’d 
prefer to be more selective, you'll need to make a 
change to the registry for the user you want to 
lock out. Follow these steps: 


Be extremely careful when applying 
this setting. After you change this 


registry value, you will no longer be 
able to use Registry Editor to undo the 
change. 


1. If the user whose access you want 
to disable has a limited account, 


change it to an administrator’s 
account. (You must have 
administrative rights to perform 
this change.) Then log on using 
that user’s credentials. 


. Start Registry Editor by typing 
regedit at any command prompt. 


. Browse to the key 
HKCU\SOFTWARE\Microsoft\Windo 
ws\ CurrentVersion\Policies 


. Select the System subkey. If this 
key does not exist, create it. 


. Create a new DWORD value 

DisableRegistryTools and set it to 1 
(1 = disable Registry Editor access; 
0 = enable Registry Editor access). 


The change is effective as soon as you exit 
Registry Editor and does not require you to log 
off or restart the computer. If you changed the 
account type in step 1, be sure to change it back 
to a limited account. 


Now, whenever this user attempts to start 
Registry Editor, he or she will see the following 
error message. The same error will appear if the 
user attempts to merge a registry settings file 
(with a .reg extension). 


“-To undo this change, follow these steps: 


1. Log on using the credentials of the 


locked-out user and create a 
shortcut with regedit.exe as the 
target. 


2. Right-click the shortcut (hold down 


the Shift key as well if you’re 


working with Windows 2000) and 
choose Run As. Supply the 
credentials of an account in the 
Administrators group. 


. Browse to the key 
HKLM\SOFTWARE\Microsoft\Windo 
ws NT\ CurrentVersion\ProfileList. 


. Select each SID under this key and 
look at the value ProfileImagePath. 
At the end of this string is the name 
of the user. Find the SID that 
matches the user whose access 
you're trying to restore. 


. Select the key HKU\ 
[SID]\SOFTWARE \Microsoft\Windo 
ws\CurrentVersion\ 
Policies\System, where [SID] is the 
SID you identified in step 4. 


. Change the value for 
DisableRegistryTools to 0 and close 
Registry Editor. 


Managing Printers and 
Peripherals 


Despite an otherwise pervasive focus on security, 
Windows 2000 and Windows XP allow essentially 
unfettered access to hardware devices that are 
connected to a computer. If you want to prevent 
users from writing data to floppy disks, writable 
CDs, or Zip disks, for instance, you must 
physically lock the drive or use Group Policy, as 
also install a third-party software utility that adds 
an extra layer of security on top of the Windows 
default settings, such as DeviceLock 
(http://www. ntutility.com/di/index.htm). The 
same basic principle applies to devices that 
connect to Plug and Play compatible ports, such 
as USB hardware devices. If the device in 
question includes a signed driver, any user can 
plug in the device, allow Windows to install the 
driver automatically, and use it. Users with 
limited accounts, however, cannot install 
unsigned device drivers. 


You can adjust permissions to restrict access to 
local printers in Windows 2000; in Windows XP, 
you may be surprised to note, this capability is 
available only if you disable Simple File Sharing. 
In Windows 2000, each printer has its own 
Security tab, similar to the one shown in Figure 
5-12, which allows you to specify which users can 
send jobs to the printer, which ones can manage 
jobs in the print queue, and which ones can 
manage printer settings. If you want only 
authorized users to be able to use a particular 
printer—say, a color inkjet printer whose 
cartridges cost a small fortune—remove the 
Everyone group from the list of available 


permissions and assign Print rights on a user-by- 
user basis. 


“-Figure 5-12. By default, the Everyone 
group has Print rights under Windows 2000. 
Adjust these permissions to prevent users 
from sending documents to a specific printer. 


Chapter 6 


Preventing Data Loss 


Most of this book is concerned with keeping the 
bad guys at bay—viruses, Trojan horses, 
malicious hackers, spammers, password crackers, 
and other misfits who want to get into your 
computer. But a discussion of computer security 
is incomplete if it doesn’t address the all- 
important issue of backing up your data. 


Most computer experts agree that the three most 
important security safeguards are “backup, 
backup, and backup.” A good backup provides a 
final safety net should an intruder or a virus get 
past all your other defenses and destroy your 
data. And backups provide security against a host 
of other, perhaps more likely, threats to your 
data: 


e Hard disk crash. Hard disks are 
more reliable today than they were 
in years past. Some hard disk 
manufacturers, in fact, no longer 
include mean time between failure 
(MTBF) in their product data sheets 
because the number was getting 
ridiculously high: several decades, 
in most cases. (Actually, MTBF was 
never intended to apply to a single 
drive; it predicts average failure 
rates in a fleet of drives. For 
example, if you have 100 disks with 
an MTBF of 100,000, the 
manufacturer’s tests predict that, 
on average, every 1000 hours one 
of your disks will fail. The MTBF 
applies only to the first year of 
operation.) That number no longer 


jibed with the manufacturer’s 
stated component design life, which 
is typically five years for hard disks. 
The data sheets now often show an 
annual failure rate (AFR) or annual 
return rate of less than 1 percent. 
Nonetheless, failures can occur at 
any time—often without warning— 
and can be triggered by a number 
of seemingly minor events, such as 
dropping or jarring the computer or 
the discharge of static electricity. If 
your drive happens to be that one 
in a hundred that dies, you'll be 
glad you have a backup. 


Electrical surge and related 
power problems. While we were 
writing this chapter, this threat was 
driven home forcefully. On a calm 
sunny day in California (where 
lightning is rarely a problem), an 
electrical surge wiped out all three 
hard disks in a friend’s computer. 
The surge might have been caused 
by a car hitting a power pole ora 
maintenance worker dropping a 
pair of pliers; we don’t know. But 
the drives are now in hard disk 
heaven. 


Fire, flood, tornado, hurricane, 
earthquake, and other natural 
disasters. ‘Nuff said. 


Theft. Laptop computers are 
particularly vulnerable to being 
stolen because of their portability 
and because they’re often out of 


your clutches in airports and other 
places with lots of strangers. And 
the problem is getting worse: In its 
Year 2000 Loss Study, Safeware, 
Inc., projected 387,000 notebook 
computer thefts in the United 
States, up 21 percent from 1999. 
Desktop computers are also high on 
the shopping list of burglars who 
prey on businesses, homes, and 
college dorms. 


User error. It’s all too easy to 
inadvertently change or delete files. 
You can make a mistake like this, 
for example, if you’re in the habit of 
breezing through dialog boxes 
without reading them carefully— 
one day, without a thought, you 
could click the wrong button. 
Although you can restore deleted 
files from the Recycle Bin, some 
deletion methods bypass Recycle 
Bin protection. Deleted files that do 
go to the Recycle Bin don’t stay 
there forever, either, as the oldest 
files are permanently deleted to 
make room for newly deleted files; 
you might not even notice that a 
needed file is missing until after it’s 
gone from the Recycle Bin. 


Faulty programs or device 
drivers. At one time or another, 
most longtime computer users have 
installed a new program or device, 
only to find that their computer no 
longer boots or operates properly. 
Attempts to uninstall the new item 


invariably leave some residual files 
or settings that continue to prevent 
the system from working. 
Fortunately, improvements in driver 
testing and qualification and in 
driver signing, plus the appearance 
of Recovery Console, System 
Restore, and other features in 
Microsoft Windows 2000 and, in 
particular, Microsoft Windows XP, 
have largely relegated these 
problems to the historical dustbin. 
But you can still encounter trouble 
occasionally, and having a backup 
that lets you restore your system to 
a known working condition can be 
immensely helpful. 


Despite the experts’ frequent admonitions to 
back up data, it’s a well-known fact that most 
users do not have a backup plan and do not 
perform backups regularly (or at all). Some 
believe that they don’t have any data worth 
backing up. However, nearly every computer 
stores something that’s important to its owner. If 
it’s not important financial, banking, or legal 
records, it might be a manuscript you’re working 
on, family photos, a music collection, e-mail 
messages, or even the settings and top scores for 
your favorite game. In addition to the content of 
your document files, consider how much time 
you've invested in configuring your system and 
fine-tuning it to work the way you like; do you 
want to (or could you) go through all those steps 
again if your computer experiences an untimely 
demise? 


In this chapter, we show you some backup 
strategies and tactics that make the chore 


tolerable, if not enjoyable. Without a significant 
investment of time or money, you can greatly 
improve your security and peace of mind by 
following these procedures. 


Security Checklist: Backup 


Follow the steps in this checklist to be 
sure you have a complete and current 
backup of the information on your 
computer. 


e Decide on a backup 
method. Back up 
selected folders and 
files, complete 
partitions, ora 
combination. 


e Decide on appropriate 
media for the backup 
method you select. 


e Delete data you won't 
ever need. 


e Using partitions, folders, 
or both, organize your 
remaining data so that 
files you use and modify 
frequently are in one 
area and seldom- 
changed files are in 
another. 


e Devise a backup 
schedule and an 
automated way to 
implement it. 


Create a full system 
backup on a regular 
basis. If you use the 
backup program 
included with Windows, 
be sure to make an 
Automated System 
Recovery disk (Windows 
XP) or an Emergency 
Repair Disk (Windows 
2000). 


Create a backup of your 
high-use documents on 
a more frequent basis. 


Protect your backups 
with a password. 


Store your backups in a 
secure, Off-site location. 


Learn how the data 
recovery process works, 
and periodically test the 
restore process. 


Painless Backup Strategies 


What makes a good backup? Ideally, your backup 
method is one that ensures that you will never 
lose a file you need. In addition, if your hard disk 
is lost, stolen, or completely destroyed, a good 
backup makes it possible to get a new system up 
and running with minimal hassle. (That is, you 
won't have to locate all your original program 
disks, along with their patches and updates, and 
then meticulously rebuild your system from 
scratch.) If your backup system is really good, 
you'll be able to retrieve files that you deleted 
weeks, months, or even years earlier. 


You can create such good backups in a number of 
ways. You have a wide choice of methods and 
media (removable disks, CD-R or CD-RW, tape 
cartridges, local hard disk, network drive, and 
online storage, to name a few). What’s best? The 
short answer: whichever system you actually use. 
It must be easy enough that it doesn’t become an 
unbearable chore left for another time. 


Because computer usage patterns, hardware 
capabilities, and resource constraints differ, no 
single method is best for everyone. In this 
section, we describe two widely used strategies. 
We then recommend a solution—a combination of 
these two strategies—that works well for most 
users in homes and small businesses. 


Backing Up Selected Folders and Files 


The traditional method for backing up a system is 
to specify certain folders and files to be backed 
up and then copy them to a backup location. You 
apply this basic concept whether you use 
Windows Backup (the backup program included 
with Windows), command-line utilities such as 
Xcopy, or third-party backup solutions. 
Depending on the program you choose for 
backups, you can use a variety of criteria to 
specify the files to be backed up, including the 
following: 


e File name 
e Location in the folder hierarchy 
e File modification date 


e Whether a file has been backed up 
before 


e Other file attributes, including 
whether the file is a hidden file or a 
system file 


e Whether a file already exists in the 
backup location 


Windows Backup, shown in Figure 6-1, is a full- 
featured backup program that lets you select 
folders and files to back up based on any 
combination of criteria. You can save a collection 
of backup settings as a backup job, and you can 
schedule the backup job to run automatically at 
predefined times. Windows Backup can back up 
data to a file (combining all the files you back up 
into a single file with a .bkf extension) or to tape. 


The backup program included with 
Windows goes by a variety of similar 
names, depending on which version of 
Windows you're using. In Windows 
2000 (and in this book), it’s called 
Windows Backup. In Windows XP, it’s 
called Backup Utility. In both operating 


systems, you can start Windows 
Backup by opening the Start menu 
and choosing Programs, Accessories, 
System Tools, Backup. Alternatively, 
you can start Windows Backup by 
typing ntbackup at a command 

t. 


“-Figure 6-1. Using Windows Backup, you 
can back up to tape or a disk file. 


Windows Backup in Windows XP 
Home Edition 


In Windows 2000 and Windows XP 
Professional, Windows Backup is 
installed by default. In Windows XP 
Home Edition, however, you won't find 
it on the Start menu or even in 
Add/Remove Programs. It js included, 
though—you just need to know where 
to look. 


To install Windows Backup, you need 
your Windows XP Home Edition CD. 
Use Windows Explorer to open the 
\Valueadd\Msft\Ntbackup folder and 
then double-click Ntbackup.msi. 


If your computer came with only a 
“system recovery” CD instead of a full 
Windows CD, finding Ntbackup.msi is 
not so easy. Look on the CD that was 
furnished and on any additional hard 


disk partitions set up on your 
computer. Some manufacturers 
provide the Windows files more or less 
intact, whereas others embed them in 
compressed disk image files. (Compaq 
systems with Windows XP Home 
Edition preinstalled, for example, have 
Windows files stored within Drive 
Image files on drive D.) If you happen 
to have the disk imaging program that 
was used to create the disk image 
files, you can extract the Windows 
files you need. 


Once installed, Windows Backup works 
the same in Home Edition as in 
Windows XP Professional, with one key 
exception: You can’t restore your 
system using Automated System 
Recovery (ASR). Although Windows 
Backup lets you create an ASR disk, 
the Home Edition CD does not include 
the requisite files to use the ASR disk 
—so there’s no point in making one. 
To perform a full system restore from 
a backup created with Windows 
Backup, you first need to reinstall 
Windows and reinstall Windows 
Backup. Only then will you be able to 
access your backup files and begin 
restoring. For more information about 
ASR, see Restoring_a System Using an 
Automated System Recovery Disk. 


This limitation provides another 
reason to use a disk imaging program 
for your full backups. See Backing Up 
Complete Partitions, for details. 


Windows Backup has plenty of competition from 
third-party commercial applications and 
shareware. Advantages offered by some third- 
party backup programs include the ability to back 
up network drives, to back up to CD-R or CD-RW 
media, to span multiple disks, and to compress 
backup files. (Windows Backup uses compression 
only on tape drives that support hardware 
compression, and not at all if you back up to a 
file). In this book, we show how to implement a 
backup system using Windows Backup—but other 
programs, perhaps with additional features that 
you'll find useful, work in a similar manner. 


Create rescue disks with your full 
backup 


Whatever tool you use for backing up 
your system, you should use its facility 
for creating a rescue disk. Typically, a 
rescue disk is a bootable floppy disk 
(or set of disks) that lets you access 
your backup media and fully restore 
your data; you'll need this disk to get 
going on a new system if your hard 
disk goes missing or belly up. 


In Windows XP Professional, Windows 
Backup can create an Automated 
System Recovery (ASR) disk. To 
create one using the Backup Or 
Restore Wizard, select All Information 
On This Computer on the What To 
Back Up page. In Advanced Mode, 
click the Welcome tab and then click 
Automated System Recovery Wizard. 
For more information, see Restoring a 
System Using_an Automated System 
Recovery Disk. 


Windows Backup in Windows 2000 can 
create an Emergency Repair Disk 
(ERD). For details, see Keeping an Up- 
to-Date Emergency Repair Disk. 


The general strategy for doing file backups is to 
periodically perform a full backup of everything 
on your computer’s hard disks. If you use your 
computer all day, every day, you'll probably want 
to schedule full backups to occur weekly; 
occasional computer users might want to perform 
a full backup only once a month or so. In 
Windows Backup, a full backup is called a normal 
backup. Windows Backup backs up all selected 
files and clears each file’s archive attribute so 
that subsequent differential or incremental 
backups don’t copy these files—unless, of course, 
the files have changed since the normal backup. 


Windows Backup, like most backup 
programs, uses each file’s archive 
attribute to determine whether to 
include the file in a backup. The 
archive attribute is a single bit in the 
file's directory entry. When a file is 
created or modified, its archive 
attribute is turned on. When a file is 
backed up using a normal or an 
incremental backup, the archive 
attribute is cleared. You can view (and 
set, if you like) the archive attribute 
for a file by right-clicking the file in 
Windows Explorer and choosing 
Properties. On the General tab, click 
the Advanced button; the first check 
box in the Advanced Attributes dialog 
box represents the archive attribute. 


Then, on a more frequent basis (typically every 
day if you use your computer constantly), you 
perform a selective backup of files that have 
changed since the last full backup. 


Establish and follow a schedule 


A key component of a successful 
backup strategy is to establish and 
observe a regular schedule. The 
frequency of your schedule depends 
on the type of work you do with your 
computer. As noted, some users will 
want to perform full backups weekly 
with daily interim backups, whereas 
those who use their computers 
infrequently or change only a few files 
might be adequately protected with a 
monthly/weekly schedule. To ensure 
that the schedule is followed, use the 
scheduling feature in your backup 
program or the Task Scheduler in 
Windows. 


For your frequent, interim backups, Windows 
Backup supports two types of backups that 
automatically exclude files that haven’t changed 
since the last backup: 


e An incremental backup copies files 
that have changed (or been 
created) since the most recent 
normal or incremental backup and 
clears these files’ archive attributes. 


e A differential backup copies files 
that have changed (or been 
created) since the most recent 
normal or incremental backup but 
does not clear the files’ archive 


attributes. Subsequent differential 
backups continue to copy all files 
that have changed since the most 
recent normal or incremental 
backup. 


You can use either type for your frequent 
backups; which you choose is a matter of 
convenience. An incremental backup includes 
fewer files in each operation (because it includes 
only the files that have changed since the last 
backup), so the backup files are smaller and the 
backup process takes less time. A differential 
backup, however, makes it much easier to restore 
files from your backup media when necessary. 
With this type of backup, you can locate any file 
(or restore your entire system) by checking, at 
most, only two backup files: the most recent full 
backup and the most recent differential backup. 
With incremental backups, on the other hand, 
you might need to fish through the full backup 
and all the incremental backup files before you 
find the item you need to restore. 


Therefore, unless you change a lot of data every 
day—so much that you can’t perform an 
unattended backup—you’re better off using the 
differential type for your interim backups. (An 
unattended backup is one that runs automatically 
and doesn’t require any manual intervention such 
as responding to dialog boxes or changing 
media.) 


In addition to normal, incremental, and 
differential backup types, Windows Backup 
supports two others: 


e A copy backup copies all selected 
files but does not clear their archive 
attributes. A copy backup is useful 


as a way of archiving particular files 
without affecting your overall 
backup routine. 


e A daily backup copies all selected 
files that have changed on the 
current day, without clearing the 
files’ archive attributes. It’s a way 
of backing up a particular day’s 
work without affecting the overall 
backup routine. 


Avoid the daily backup type 


The daily backup type sounds like it 
might be an appropriate part of a 
regular backup routine. It’s not. 
Although the daily type can be useful 
for certain ad hoc backups, it has two 
shortcomings that make it unsuitable 
for regular once-a-day backups. 


e A daily backup includes 
only files created or 
changed on the day of 
the backup, up until the 
time of the backup. Any 
files that are changed 
after the backup is run 
are missed, and they 
won't be picked up in 
the next day’s backup 
because they weren’t 
changed that day. 


e If you miss a day for any 
reason (the scheduled 
task didn’t run, the drive 
didn’t contain media, 


you had to rush home 
before starting the 
backup), that day’s files 
won’t be backed up. 


To avoid these problems, use either an 
incremental or a differential backup 
for everyday backups. 


You can find a program for backing up selected 
files that works with just about any type of 
media, including the following: 


e Floppy disks. With a capacity of 
only 1.44 MB, floppy disks are 
practically useless for serious 
backups of a computer running 
Windows XP or Windows 2000. (The 
operating system files alone would 
occupy several hundred floppy 
disks, and a full backup would take 
days.) But in a pinch, if you have 
no alternative, they can be handy 
for backing up a handful of key 
files. 


e High-capacity floppy disks. Zip 
disks (available in 100 MB and 250 
MB capacities) and Jaz disks 
(available in 1 GB and 2 GB 
capacities), both from Iomega 
Corporation 
(http://www.iomega.com), as well 
as other high-capacity removable 
magnetic disks are well suited for 
interim backups, but they are 
generally too costly (and too slow) 
for full backups. 


e Magneto-optic (MO) discs. MO 
discs are available with capacities 
ranging from about 128 MB to 5 
GB. 


e Tape. Magnetic tape cartridges for 
data backup come in a variety of 
formats and capacities. Tape has 
traditionally been the backup media 
of choice. In recent years, however, 
hard disk capacity has grown 
quickly, outpacing that of tape 
cartridges and drives. Nowadays, 
most tape drives that cost less than 
the computer in which they're 
installed use tapes that hold only a 
fraction of the computer’s hard disk 
data. Performing a full backup is a 
slow process and can’t be 
performed unattended because you 
must keep feeding in new tape 
cartridges. 


e Hard disk. Backing up to another 
hard disk with adequate free space 
is often the most convenient 
method because your backups can 
run unattended; you don’t have to 
stand by to swap media as each 
tape or disk fills up. (As you'll see 
later in this chapter, backing up to a 
hard disk is, in fact, the method 
that we recommend—but only as an 
intermediate stop on the way to 
CD-R or CD-RW media.) An internal 
hard disk (if it’s a separate disk and 
not a separate partition on the 
same disk) can provide protection 
against data loss as the result of 


hard disk crashes, viruses, and 
accidental deletion, but it’s useless 
against the many other threats to 
your data (power problems, theft, 
natural disaster, and so on). You 
can gain additional protection by 
using one or more hard disks in 
removable drive drawers, but 
having enough spare disks (as well 
as the caddies to hold them) is an 
expensive proposition. 
Furthermore, hard disks are rather 
fragile devices; repeatedly inserting 
and removing them, throwing them 
in the trunk of your car, and 
inflicting other abuse quickly 
diminishes the disks’ value as 
reliable backups. 


CD-R and CD-RW. Because the 
price of drives and media is so low, 
CDs have become the backup 
media of choice for many users. 
Although CD-R discs can’t be 
reused, they can nevertheless 
provide the least expensive 
backups overall. And they offer 
another benefit: they can be used 
for long-term archival storage. If 
you back up to reusable media 
(such as tape), you'll be able to go 
back, at most, a few months to 
retrieve old files (unless you buy 
additional expensive tape cartridges 
or other media for archiving). The 
biggest drawback to CD media is 
their capacity (only about 650 MB); 
it takes several CDs to perform a 
full backup. 


e Web-based storage. A number of 
companies allow you to back up 
your files over the Internet. Some 
companies provide a backup 
program that interfaces with the 
Internet storage location (for 
example, SwapDrive, at 
http://www.swapdrive.com); others 
use your Web browser. Regardless 
of the interface, using the Internet 
for backups is impossibly slow 
unless you have a broadband 
connection. Even with a fast, 
reliable connection, backing up 
gigabytes of data is impractical. 
Another shortcoming of a Web- 
based backup is that you can’t use 
it to rebuild a system from scratch 
in case your computer is destroyed 
or stolen. At a minimum, you'll 
need to install the operating system 
and set up a working Internet 
connection before you can begin 
restoring the rest of your files. 
(Most current backup programs 
that save to local media have an 
option to create an emergency 
repair disk—a bootable floppy disk 
or CD—from which you can restore 
everything without first installing 
the operating system and backup 
software. ) 


You can find a good list 
of companies offering 
Web-based storage by 
going to 

http://dir. yahoo.com 


and clicking links to 
follow this tortuous path 
through the Yahoo! 
directory: Business and 
Economy, Shopping and 
Services, 
Communication and 
Information 


Management, Internet 
and World Wide Web, 
Personal Information 
Management, File 
Hosting. 


e DVD. At the time of this book’s 
publication, the dust had not yet 
settled on the battle for a standard 
recordable DVD format. With 
capacities of up to 9.4 GB per disc, 
DVD-RAM, DVD-R, DVD-RW, and 
DVD+RW all provide promising 
backup solutions—once a standard 
is established and the prices of 
drives and media come down. 


Not all backup programs 
support all media types. 
Windows Backup, for 
example, cannot back 
up directly to CD-R or 
CD-RW media. (We 
explain a workaround 
later in the chapter: 
Back up to a hard disk, 
ensure that your backup 
files are no larger than 
the CD capacity, and 
burn the backups to a 
CD in a separate 


operation.) If you're 
married to a particular 
backup medium, be sure 
that the backup program 
you choose supports 
that medium. 


Backing Up Complete Partitions 


One problem with file backups is that they don’t 
copy every bit of information on your hard disk. 
Files that are in use—including some critical 
system files—are difficult, if not impossible, to 
back up with a program such as Windows 
Backup. (Windows XP adds a volume shadow 
copying feature, which creates a copy of all files 
in use at the time a backup job begins and then 
backs up the copies. This is designed to produce 
an exact duplicate of a disk volume—including 
any files in use.) 


Several software publishers have come up with 
an alternative solution: disk imaging programs. 
By working outside Windows (they boot to their 
own version of DOS), disk imaging programs can 
make an exact duplicate of an entire hard disk 
partition. The two leading programs in this field 
are Drive Image (PowerQuest Corporation, 
http://www. powerquest.com/driveimage/) and 
Norton Ghost (Symantec Corporation, 
http://www.symantec.com/sabu/ghost/). Figure 


6-2 shows Drive Image. 


“-Figure 6-2. QuickImage is the component 
of Drive Image 5 that lets you set up backup 
jobs. 


Disk imaging programs clone an entire partition 
by copying it (and, optionally, compressing its 
data) to another hard disk partition. To use a disk 
imaging program, then, you must have a spare 
partition on which you can put the copy. (You can 
subsequently copy the backup copy to other 
media, such as CD-R.) This is the biggest 
disadvantage of disk imaging programs: Before 
you can use them, you must repartition your hard 


disk to create a backup partition, or you must 
install an additional hard disk for that purpose. 
(Because disk imaging programs can compress 
the data, the backup partition need not be as big 
as the partition you're backing up.) If your 
computer isn’t already configured with two or 
more hard disk partitions, including at least one 
that has plenty of free space and no data that 
needs to be backed up, you'll need to invest 
some money for another hard disk, partition- 
management software, or both. Because hard 
disk prices continue to drop as disk capacities 
increase, however, a relatively low investment 
can give you a backup system that you'll actually 
use. 


Backing up directly to CD-R media 


The newest versions of the two 
leading disk imaging programs, Drive 
Image 5 and Norton Ghost 2002, can 
write directly to CD-R and CD-RW 
media. Although this feature makes it 
possible to back up a hard disk 
without having a large spare disk or 
partition to use as an intermediate 
backup location, restoring the partition 
or individual files from backups 
created on CD can be a major pain. 


During the backup process, Drive 
Image creates a number of files on 
each CD, including ones that have the 
file name you specify anda 
consecutive numeric extension (for 
example, Backup_C.001, 
Backup_C.002, and so on). A backup 
of a good-size partition (say, 20 GB) 
might have hundreds of such files. 
When you use ImageExplorer, the 


utility included with Drive Image for 
working with image files and restoring 
files, it asks you to insert the first CD 
in the set and then the last CD in the 
set. That’s not so bad, but then it 
proceeds to ask for several more CDs. 
Instead of asking for a CD by its 
number, however, it asks you to insert 
the CD that contains a particular file— 
and gives no indication which CD that 
file might be on. Furthermore, it 
requests files in seemingly random 
order and requests some files multiple 
times, requiring a lot of disk shuffling 
and guesswork. Should you have 
enough patience to shuffle enough 
CDs to display the partition’s root 
folder in ImageExplorer, be prepared 
to begin the shuffle anew if you 
attempt to open any of the partition’s 
subfolders. 


All in all, writing directly to CD 
sometimes produces a nearly 
unworkable mess. And when you 
really need the backup most, because 
you're trying to restore an important 
file, this time-consuming shuffle 
compounds an already stressful 
situation. 


Fortunately, you have alternatives. By 
far the best alternative is to create 
your disk image on a spare partition 
you create for the purpose and then 
copy the partition backup files to CD. 
This system not only enjoys the other 
advantages described in this chapter 
(most notably, the ability to perform 


unattended backups) but also greatly 
simplifies the task of identifying CDs 
when they’re requested. (Because 
each CD contains only one large file, 
it's easy to know which numbered file 
is on each CD.) In addition, if it’s still 
available, you can restore from the 
partition backup files still on the spare 
partition, which is much faster and 
more convenient. 


Although disk imaging programs can back up only 
entire partitions, you can use them to restore 
individual folders or files as needed. Figure 6-3 
shows ImageExplorer, the component of Drive 
Image 5 that you use for various image-file 
management tasks and, more important, for 
restoring files from a backup image. 


“-Figure 6-3. Disk imaging programs let you 
restore individual folders or files from a disk 
image. 


Like file backup programs, disk imaging programs 
let you store backups on a wide variety of media. 
In fact, because a partition backup is stored as 
an ordinary file, you can store it on just about 
any type of media. (The programs include an 
option to split the backup file across multiple 
files, each sized to the maximum capacity of the 
target media.) 


Although you can restore individual 
folders and files stored on any 
supported media from within 
Windows, you should store partition 
backups only on devices for which you 
have DOS drivers. If you need to 
perform a full restore, you must boot 
from a DOS-based emergency repair 


disk that includes any necessary DOS 
drivers for your backup devices as well 
as the restoration program provided 
with the disk imaging program. This 
typically limits your device choices to 
hard disks, network drives, CD drives, 
some Iomega drives, and some MO 
drives. Check the documentation for 
the disk imaging program to see how 
to create an emergency repair disk 
and which devices are supported. 


Combining Methods for Best Backup 
Strategy 


A partition backup provides the best full backup; 
it includes all the bits on the disk and, if you back 
up to a different hard disk partition, it can be run 
unattended in a relatively short time. But using a 
partition backup for your frequent interim 
backups makes little sense; with a file backup 
you can back up the files that have changed ina 
fraction of the time and media space that a full 
partition backup requires. Hence, our 
recommended solution for most small businesses 
and home users is a hybrid one: 


e Periodically use a disk imaging 
program to perform a full backup of 
all your computer’s partitions 
(except the one you use as a 
backup location). Schedule the 
program to run when you won't be 
using your computer (for most 
people, in the middle of the night), 
and save the backup files to a hard 
disk partition reserved for the 
purpose. At your convenience (but 
as soon as possible), copy the 
image files to CD-R or other 
removable media that can be 
accessed using the emergency 
repair disks created by your disk 
imaging program. 


e On a more frequent basis, use 
Windows Backup or a similar 
program to back up the files (such 
as document files) that you use day 
in and day out. Schedule the 


program to run when your 
computer is idle, and save the 
backup files to the same backup 
partition that you use for full 
backups. Compress the backup file 
and copy it to a CD-R or other 
removable media. (Unlike the disk 
image backup, removable media 
don’t need DOS-level support. But 
CD-R is such a durable, fast, and 
inexpensive medium that it works 
quite well for this purpose. ) 


That’s all there is to it. You'll probably want to 
schedule the full backups to occur somewhere 
between once a week and once a month, with 
interim backups performed daily. Increase the 
frequency of your full backups when the interim 
backups no longer fit on one CD (or whatever 
medium you choose). 


To obtain the safety of off-site storage and the 
convenience of having your backups on-site, take 
the CD-R or other removable media to an off-site 
location and leave the original backup files on the 
hard disk partition reserved for backups. For off- 
site storage, you could take your office backups 
home and take your home backups to work, for 
example. You could even mail them to a friend in 
another state. The off-site backup, on removable 
media, is available in case of total disaster; and 
the hard disk copy is available on a moment’s 
notice if you discover that you’ve inadvertently 
deleted a file you need. 


The following sections of this chapter explain in 
detail how to implement and automate this two- 
tiered backup strategy. 


Organizing Your Data 


Unless all your data resides on a tiny hard disk 
(unlikely if you're running Windows XP or 
Windows 2000) or you have an expensive tape 
library system with an automatic changer, you 
won't be able to back up your entire system 
without babysitting the backup process to change 
media. Unattended full backups are the norm in 
many corporations, which rely on large-capacity 
tape drives and automatic changers that run at 
night. But most backup systems that can perform 
such operations are prohibitively expensive for 
home users and small businesses. Therefore, 
you'll do yourself a favor by organizing your data 
in a manner that minimizes the amount of data 
that needs to be backed up—regardless of the 
backup strategy you choose. 


Eliminating Unnecessary Data 


Begin by doing some housecleaning. Delete files 
that you know you won’t ever need and uninstall 
programs that you no longer use. Use Disk 
Cleanup to empty the Recycle Bin and get rid of 
temporary files and other junk. (To start Disk 
Cleanup, right-click a drive in Windows Explorer, 
choose Properties, and click Disk Cleanup. Or, 
more simply, type cleanmgr at a command 
prompt.) 


If you use Windows XP to burn CDs, clear the 
staging area. To do that, open the CD drive in 
Windows Explorer. If any files appear in the Files 
Ready To Be Written To The CD group, click 
Delete Temporary Files in the task pane. 


Performing these housekeeping tasks before each 
backup avoids the wasted effort of backing up 
unnecessary data. In addition, by making a few 
one-time configuration changes, you can further 
reduce the time and space needed for your 
backups. Consider the following options: 


e Reduce the space allocated to 
the Recycle Bin. By default, the 
Recycle Bin can grow to be 10 
percent of the size of your hard 
disks’ capacity. Particularly with 
large hard disks, this protection 
against accidental deletion is more 
than most people need—especially 
if they have a good daily backup 
routine. To reduce the maximum 
Recycle Bin size, right-click the 
Recycle Bin and choose Properties. 
On the Global tab (or on the tab for 
each drive, if you configure the 


drives independently), move the 
Slider to the left. 


Reduce the size of your 
temporary Internet files cache. 
When you use Microsoft Internet 
Explorer, it saves files from the 
sites you visit so that they'll load 
faster when you revisit the same 
Web page or other pages that use 
the same files. By default, the 
cache is often ridiculously big. Many 
experts recommend a cache setting 
of 5 MB to 30 MB, depending on the 
connection speed. (Slower 
connections, such as dial-up, 
should use a setting at the upper 
end of the range.) To set the cache 
size, in Internet Explorer choose 
Tools, Internet Options. On the 
General tab, under Temporary 
Internet Files, click Settings and 
then move the slider to the left. 


Disable hibernation. Hibernation 
is a power-management feature 
that saves an image of your 
computer’s RAM on your hard disk 
before shutting down the power; 
when you turn the power back on, 
hibernation quickly boots right to 
where you left off. The image is 
stored in a hidden file named 
C:\Hiberfil.sys, a file that matches 
your computer’s RAM in size. 
Hibernation is a nifty power-saving 
feature, but if you never use it, 
there’s no point in including that 
huge file in your backups. To 


disable hibernation, go to Control 
Panel and open Power Options. On 
the Hibernate tab, clear the check 
box that enables hibernation. Doing 
so deletes Hiberfil.sys. 


Delete the page file on 
shutdown. The page file is a large 
file used as virtual memory, but 
there’s no reason to back it up. If 
you’re using a disk imaging 
program for full backups, you can 
cut down the space requirements 
by deleting the page file when you 
shut down Windows. (The disk 
imaging program operates under 
DOS, not Windows.) To configure 
Windows to delete the page file 
each time you shut down, use 
Registry Editor to open the 
HKLM\System\CurrentControlSet\C 
ontrol\Session Manager\Memory 
Management key. Set the 
ClearPageFileAtShutdown value to 
1. (Deleting the page file also has a 
security benefit: It prevents a 
snooper from booting to another 
operating system and poring 
through your page file to examine 
files and programs you used during 
your last session. However, it also 
has a drawback: It increases 
shutdown time considerably. ) 


Move the page file to a partition 
that you aren’t backing up. If 
you don’t back up certain partitions 
(such as the one where you store 
backup files), consider using that 


partition for your page file. To make 
the change, right-click My 
Computer, choose Properties, and 
click the Advanced tab. Click the 
button in the Performance box. In 
the Performance Options dialog 
box, click the Advanced tab 
(Windows XP only) and click 
Change. Select each drive and set 
the size of the page file for that 
drive. 


Reduce the space allocated to 
System Restore. System Restore 
is a feature of Windows XP that 
saves restore points—mini-backups 
that let you restore your system 
files to a previous point in time. By 
default, Windows uses up to 12 
percent of each hard disk’s space 
for System Restore data. To reduce 
this amount, right-click My 
Computer, choose Properties, and 
click the System Restore tab. If 
your computer has only a single 
hard disk, adjust the slider in the 
Disk Space Usage box. If your 
computer has more than one hard 
disk, select each drive in turn and 
click Settings to adjust the 
maximum space used. 


Arranging Your Data for Easy Backup 


You should back up all the data that remains after 
you’ve removed the files that are totally 
superfluous—but you don’t need to back it all up 
every day. The files you actively work with day in 
and day out (primarily documents) have different 
backup needs than files that change rarely (such 
as program files). Your next step in developing an 
effective backup system, then, is to organize the 
data on your hard disks so that you can easily 
separate the files that need to be backed up 
frequently from those that seldom change. 


You can do this by storing your frequently 
changed files in a separate folder or even a 
separate partition. To a great extent, Windows 
does this for you if you use subfolders of My 
Documents for storing your documents. Most 
recent applications store their data by default in 
My Documents or another subfolder of your user 
profile. (You can view the folders in your user 
profile by typing %ouserprofile% in the Run 
dialog box or in the Windows Explorer address 
bar.) Don’t fight this organization; it’s a good 
thing! For programs that don’t use My Documents 
as a default location, move your documents to a 
subfolder of My Documents if the program allows 
it; otherwise, keep track of where the program 
stores data. 


One notable program that does not 
save documents in My Documents by 
default is the Eudora e-mail program. 


It stores e-mail messages with the 
program files in a subfolder of the 
Program Files folder. 


Many users prefer to store their frequently 
changing documents on a separate partition. 
Moving My Documents (and all its subfolders) is 
quite simple: Right-click My Documents, choose 
Properties, and click the Target tab. In the Target 
box, type a new location, or click Move to browse 
to a location. Remember that each user on your 
computer has a My Documents folder, so you 
must repeat this procedure for each user if you 
want to move My Documents to a different 
partition. 


Even if you manage to store most of your 
documents on another partition (whether you use 
My Documents or an ordinary folder), your user 
profile and other users’ profiles will undoubtedly 
accumulate additional information that you 
should back up. Therefore, if you’re intent on 
using partitions to isolate your changeable data, 
you really should store the entire Documents And 
Settings folder on the partition to be backed up 
frequently. You can’t just move the folder, 
however, because the registry is filled with 
references to that folder. The preferred way to set 
up profiles in a different location is to specify the 
location during Windows setup using the 
/Unattend switch. You can move the profiles 
folder after setup, but doing so is fraught with 
error and is not supported by Microsoft. 
Nonetheless, you can find instructions for both 
options in Microsoft Knowledge Base article 
Q236621 and Q310147. 


Archive your old documents in a 
different folder 


To keep the My Documents folder from 
becoming cluttered with files that 
don’t need to be backed up frequently, 
use it only for documents that you’re 


actively working with. Periodically 
(perhaps before each full backup), 
move the documents you no longer 
use regularly to a folder that’s not in 
My Documents—call it Archives or 
something similar. Your My Documents 
folder can then remain relatively 
small, and you'll need to back up the 
Archives folder only when you add 
files to it. 


Creating a Backup Partition 


Regardless of whether you use separate 
partitions for your different classes of data, you 
will need a separate partition to save your backup 
images if you want to create fast, unattended 
backups as described in this chapter. Ideally, the 
partition should be at least as large as the rest of 
your partitions combined; this allows plenty of 
room for backups of all partitions as well as 
temporary files used while compressing the 
backup data. Through the miracle of 
compression, you can usually get away with a 
backup partition that is about one-third smaller 
than the largest partition you plan to back up, if 
need be. 


Creating partitions is simple if you’re working 
with a new, unpartitioned disk. The Disk 
Management console included with Windows 
makes it easy to create, delete, and format 
partitions. Unfortunately, however, if you already 
have data on your existing partitions, Disk 
Management is of little use unless you can 
somehow back up the data. That’s because Disk 
Management can’t resize partitions on basic disks 
(the type most users have); the only way to 
divide an existing large partition into smaller 
partitions is to delete the existing partition 
(destroying its data) and then create new 
partitions in its place. (For complete details about 
using Disk Management, see our earlier book, 
Microsoft Windows XP Inside Out [Microsoft 
Press, 2001].) 


Third-party partition management tools can 
resize your existing partitions and create new 
partitions without destroying your data. Two 
popular programs of this type are PartitionMagic, 


from PowerQuest 
(http://www.powerquest.com/partitionmagic/), 
and Partition Manager, from Paragon Technologie 
GmbH (http://www. partition-manager.com). 


Ordinarily, partition-management programs 
safely modify your disk layout. But they do work 
with your data at a low level, and the publishers 
rightly recommend that you back up your data 
before you use the program. This leaves you with 
a Catch-22: You can’t back up your hard disk 
until you create a backup partition, and you can’t 
create a backup partition until you back up your 
hard disk. Rather than taking your chances that 
the partition manager will succeed, you can try 
one of these two solutions: 


e Make a backup using whatever 
tools are available, even though it 
won’t be as convenient as your 
ultimate backup system. For 
example, you can use Drive Image 
to back up directly to a CD-R. You 
can use Windows Backup to back 
up to a file on a network drive. Or 
you can simply copy the content of 
My Documents and other 
irreplaceable files to removable 
media. 


Install another hard disk and use it 
as your backup partition. 


Performing Regular Backups 


With your hard disk now freed of unneeded data, organized so that you can 
segregate your full backup and frequent backup data, and set up with a 
partition for your backup data, you’re ready to back up. The following sections 
explain how to implement our recommended backup system by performing 
your full and frequent backups using the most appropriate tools. 


Performing a Full Backup with Disk Imaging Software 


Using a disk imaging program, you can easily set up a full backup job to run 
automatically and unattended. In this section, we explain how to use Drive 
Image 5, but other programs work in a similar manner. 


If you haven't already done so, use Drive Image (or the program of 
your choice) to create a set of rescue disks. You'll need these disks 
if you ever need to rebuild your system from scratch; they allow you 
to restore your partition image from removable media without first 
installing Windows. 


To set up a backup job, follow these steps: 


1. Open QuickImage, a component of Drive Image. Although the 
actual backup job runs under DOS, using this Windows-based 
component to set up your job makes it easier to schedule. 


2. Click Select Partitions. 


3°*Select each partition you want to include in your full backup. 
Unless you have certain partitions with data that never needs 
backup, you should select all partitions except the one that is 
your backup destination. (If the backup partition isn’t big enough 
to contain data from all your other partitions, you might need to 
set up separate jobs for each partition.) Click OK. 


4. Click Advanced Options. 


57"Make the following settings in the Advanced Options dialog 
box and then click OK: 


e Select Split Image File Into Multiple Files and 
specify the size of your removable backup media. 
(The preceding illustration shows the value to use 
for CD-R media.) 


e Select High as the compression level to minimize 
the size of the backup files. 


e Select Password Protect Image File and specify a 
password. 


It’s important to protect your backup files with a 
password. Without that protection, anyone who 
obtains your backup media can restore any or all of 
your files to another computer without your 
knowledge. 


6. In the Image Filename box, specify a file name and a location on 
your backup partition for your backup file. For example, if you set 
up drive U as your backup partition, you might specify 
U:\FullBackup. 


7. Enter a description (“Full backup of all partitions,” for example) in 
the Image Description box, and then click Save to save the 
backup job definition. 


8. Click Schedule Task, and then use the Image Creation Schedule 
dialog box to set up a scheduled time to run the backup. Drive 
Image adds the scheduled backup to the Scheduled Tasks folder 
in Control Panel. 


Because disk imaging programs run under DOS, all programs will 
close and Windows will shut down when the scheduled time arrives. 
Therefore, you'll want to schedule the task to run at a time when 
you normally don’t use your computer. 


After the backup job runs at its appointed time, you then copy the backup files 
from your backup partition to CD-R or other removable media. You can copy 
the CDs in the background as you go about your daily work. 


When you’ve finished copying the backup files to CD, label the CDs with the 
date and move them to an off-site location. If you don’t need the room for 
other files, leave the backup files in place on your backup partition. Your next 
full backup uses the same file name and will overwrite the files. In the 
meantime, if you need to restore a file, you can do so quickly and easily from 
the hard disk copy of the backup. 


Media Rotation Schedules 


If you use tape or other reusable magnetic media for your backups, 
you should create a media rotation schedule. (Because our 
suggested backup solution uses single-use CD-R media, media 
rotation is not an issue in that case.) These rotation schedules are 
intended to protect your data with a minimum number of tapes or 
disks, to use all media regularly for even wear, and to organize your 
media so that restoring data is fast and efficient. 


A commonly used schedule (sometimes called GFS, for grandfather, 
father, son) organizes your media into daily (son), weekly (father), 
and monthly (grandfather) backups. With a typical implementation 
of this system, you need four tapes for daily differential backups, 
three tapes for weekly full backups, and three tapes for monthly full 
backups. 


Each week, you use the four daily tapes (labeled Day 1 through Day 
4 or, if you prefer, Monday, Tuesday, Wednesday, and Thursday) to 

perform differential backups. That is, on Monday of every week, you 
use the Day 1 or Monday tape to make a differential backup, and so 
on. 


Every Friday, you make a full backup. You rotate through the weekly 
and monthly tapes as follows: 


e On the first Friday (and every fourth Friday 
thereafter), use the Week 1 tape. 


e On the second and third Fridays, use the Week 2 and 
Week 3 tapes. 


e On the fourth Friday, use the Month 1 tape. 
e On the eighth Friday, use the Month 2 tape. 


e On the twelfth Friday, use the Month 3 tape, 
completing the first rotation cycle. 


Numerous variations on this rotation scheme and many others have 
been devised. An Internet search for “backup rotation schedule” will 
provide many ideas if this schedule doesn’t suit your needs. 


Performing Interim Backups with Windows Backup 


Windows Backup is a fine tool for frequent interim backups, for it can be 
scheduled to run without intervention. To set up a daily backup job, follow 
these steps: 


1. Type ntbackup at a command prompt to open Windows Backup. 


If you use Windows XP, the Backup Or Restore Wizard starts. We 
recommend you use the wizard, which offers two preconfigured 
backup jobs that are ideal for interim backups: My Documents 
And Settings and Everyone’s Documents And Settings. (See 
Figure 6-4.) These jobs include the important files from your 
profile (or profiles) and specifically exclude a number of files that 
should not be backed up, such as the hibernation file and the 
page file. When you reach the wizard’s final page, click Advanced 
to set up a schedule for your backup job. That’s it; you're done. 


2. Click the Backup tab. 


“Figure 6-4. The wizard in Windows XP makes it easy to set 
up an interim backup of your document files and other 
settings. 


If you prefer to specify your own backup parameters, click the 
Advanced Mode link and continue with this procedure. 


If you use Windows 2000, no wizard appears. Although you can 
summon one, the wizard in Windows 2000 doesn’t have the 
compelling options offered by the Windows XP version. Therefore, 
you should continue with this procedure. 


3. Select the folders that contain data you want to back up. In most 
cases, that would be only C:\Documents And Settings. 


4. In the Backup Media Or File Name box, type the name of the file 
on your backup partition that will contain your backup data (for 
example, U:\Daily.bkf). 


5. Choose Job, Save Selections to save your backup job definition. 
6. Click Start Backup. 


7*“In the Backup Job Information dialog box, make the following 
settings: 


e Type a description of the backup job if you like. 


e Select the Replace option so that your backup job 
creates a new file with the same name each time 
you run it. 


Select the Allow check box. This allows any 
member of the Administrators group to restore files 
from your backup file, but prevents someone who 
does not have an account on your computer from 
using the file. (Later in the process, you can store 
the backup in a password-protected .zip file for 
additional protection.) 


8. Click Schedule and enter your password (or the user name and 
password of an account with sufficient permissions; see the 
sidebar “Windows Backup and Permissions” for details). Click OK 


and then set up a schedule in the Scheduled Job Options dialog 
box. You can schedule the backup to run at any time because 
Windows Backup runs without interrupting your other work. 
However, if you use Windows 2000, which lacks the volume 
shadow copy feature, files that are open while the backup is 
running might not be backed up. Therefore, it’s best to schedule 
the job at a time when you know your computer will be idle. 


Windows Backup and Permissions 


Windows won't let just anybody log on to a computer, back up files, 
and subsequently restore them somewhere else. You must have 
certain permissions or user rights to back up files, whether you use 
Windows Backup or another file backup program designed for 
Windows XP or Windows 2000. Here are the provisions: 


e A member of the local Administrators group or Backup 
Operators group can back up all files on the local 
computer—even files that NTFS permissions otherwise 
prevent the user from accessing. 


e A member of the Domain Admins group or the domain 
Backup Operators group can back up all files on any 
computer in the domain. 


e Users who are not members of any of these groups 
can back up only folders and files that they own and 
files for which they have one or more of the following 
permissions: Read, Read & Execute, Modify, or Full 
Control. 


After the scheduled backup job runs, copy the single backup file from your 
backup partition to a CD-R. Although you can copy the .bkf file as is, we 
suggest that you first take an additional step: Compress the file as a .zip file. 
This compression offers several advantages: 


e The backup file is smaller, so that your backup can contain more 
files and still fit on a single CD. 


e Because the file is smaller, it takes less time to copy it. 


e The backup file can be password-protected. Although cracking 
the password on a password-protected .zip file is no challenge for 
a determined hacker, this protection will deter most people. 


e If the backup file is too large to fit on a single CD, you can split 
the .zip file to span multiple CDs. 


Back up directly to CD-R (almost) 


If you choose not to compress your backup file as a .zip file and if 
you use Windows XP, set up Windows Backup to store the .bkf file in 
the staging area for writing CDs. Creating the file in that folder 
doesn’t write it directly to a CD-R disc, but it allows you to write the 
file to CD-R with only a single click. To use this trick, replace step 4 
above with the following: 


4. Click the Browse button. In the File Name box of the 
Save As dialog box, type Youserprofile™% \local 


settings\application data \microsoft\cd 
burning \backup.bkf and then click Save. 


After you run the backup job, open My Computer, right-click your 
CD-R drive, and choose Write These Files To CD. 


The backup file created by your scheduled backup job always has the same 
name. You'll find it easier to keep track of your frequent backups if you give 
them a more meaningful name; we suggest using the file date as the file 
name. 


Changing a file name and creating a .zip file is a perfect application for a batch 
program. Here’s one that can do the job: 


:: Batch program to compress daily backup for storage on CD-R 
@echo off 
Gils 


Create environment variables with today's date values. 


setlocal 

Fore Jit Virokeas=i-4 celins=/ * Soi im ( dare fr’) clo ( 
set Day=%s%1 

set MM=%%J 

set DD=S%Sk 

set YYYY=S%1 


This batch program assumes that your scheduled backup file 
as D:\Backup\Backup.bkf. If you use a different folder or 
name, replace the values in the following lines. 


cd /d d:\backup 


Error handling: check for existence of source and target f: 
not exist backup.bkf goto nofile 
exist SYYYYS-%SMM%S-%SDD%.bkf goto targetexists 


Fh Fh 


Use today's date as the file name for the backup file. 


ren backup.bkf SYYYY%S-SMM%-SDD% .bkf 


Use WinZip and the WinZip Command Line Support Add-On to c 
the backup file. Replace PASSWORD with the password you wal 
use for protecting the compressed backup file. 
"Sprogramfiles%\winzip\wzzip" -m -ex -s"PASSWORD" %SYYYY%S-%MM%- 
Gls 
echo The backup has been compressed and saved as SYYYY%S-%SMM%-‘ 
echo. 
dir SANA SMS DDS. Zip | fined fa Yaaljo™ 
echo. 
echo the file size shown above is greater than 650,000,000, 
echo need to open the file in WinZip and use its Split functi< 
pause 
goto end 


ol? 


:nofile 


echo The expected backup file, D:\Backup\Backup.bkf, doesn't « 
pause 
goto end 


:targetexists 
echo A file named %YYYY%S-%MM%S-%DD%.zip already exists. 
pause 


:end 
endlocal 


Pa 


You ca n find this file, which we call CompressBackup.bat, on this book’s 
companion CD. Save it on your hard disk and modify it as necessary. (In 
particular, you'll need to change the references to D:\Backup and Backup.bkf if 
you store your backup file elsewhere, and you'll need to pick a better password 
than PASSWORD for the .zip archive.) 


To use CompressBackup, you need WinZip and the WinZip 
Command Line Support Add-On. You can download them from 
http://www. winzip.com; the add-on is located at 

http://www. winzip.com/wzcline.htm. If you prefer to use a different 
.zip Management program, you'll need to modify CompressBackup. 


Open the Start menu and choose Programs, Accessories, System Tools, 
Scheduled Tasks and set up CompressBackup to run as a scheduled task after 
your daily backup runs. When you return to your computer after both the 
backup and CompressBackup have run, copy the .zip file (which has the 
backup date as its file name) to a CD. 


If the file is too big to fit on one CD, open the file in WinZip. Open the Actions 
menu and choose Split. In the Part Size box, select CD-ROM to create files that 
will fit on a CD. 


Troubleshooting 
The backup file won’t compress. 


The daily backup scheme we’ve described has one significant 
limitation: If your backup file is larger than 4 GB, you’re in a pickle. 
You won’t be able to compress the file because the .zip format 
doesn’t support files that large. And because you can’t compress it, 
you can’t split it across multiple CD-size files. The CompressBackup 
batch file will fail with an error; it doesn’t handle this situation with 
aplomb. 


Your solution in this case is to modify your backup job so that it 
creates two or more smaller backup files. You should also consider 
increasing the frequency of your full backup, moving files that don’t 
change out of your My Documents folder, or using differential 
backups, as described in the accompanying InsideOut tip. 


Use differential backups 


Because our recommended strategy uses a disk image as the 
periodic full backup instead of using a file backup, the archive 
attribute isn’t cleared when you perform a full (that is, disk image) 
backup. Therefore, you can’t rely on a backup program’s differential 
backup type to copy only the files that have changed since your last 


full backup—unless, that is, you clear the archive attributes for all 
files when you perform the full disk image backup. 


You can clear the archive attribute for every file on a disk with a 
single use of the command-line utility Attrib. For example, to clear 
the archive attribute for all files on drive C, use this command: 


artei -a e\o /s 


By saving this single line to a batch program that is scheduled to 
run immediately after the full backup job runs, you're in effect doing 
exactly what Windows Backup does when it performs a normal (that 
is, full) backup. For your frequent interim backups, you can then 
select all the files on a system (instead of selecting particular 
folders) and use a differential backup type. This method ensures 
that every file that has changed is backed up; it doesn’t rely on your 
ability to figure out where every program stores its files that have 
changed. 


Note that this command doesn’t change the archive attribute on 
hidden files or files for which your account doesn’t have at least 
read permission. Therefore, such files that have the archive 
attribute turned on will be included in your differential backup 
unless they're specifically excluded. Many hidden files are excluded 
by default in Windows Backup. 


Backing Up Other Information 


Backing up to removable media and storing it 
offsite is your best defense against losing data as 
the result of any of the catastrophes outlined at 
the beginning of this chapter. You might have 
reason to back up certain subsets of your 
information, however. The following sections 
explain some of the other backup tools you might 
want to use for preventing data loss. 


Performing Special-Purpose Backups 


In addition to (not instead of!) developing and 
using a system for backing up your entire hard 
disk, you might find it useful to back up certain 
parts of your system, such as the data from a 
particular program. Backups like these can be a 
useful part of your regular backup regimen, or 
you might use them to move a program’s data 
and settings to another computer. 


Use the Files And Settings 
Transfer Wizard 


Windows XP includes a Files And 
Settings Transfer (FAST) Wizard, 
which can help you transfer files and 
settings from your old computer to a 
new one running Windows XP. If you 
have Windows XP and if the program 
for which you want to back up data is 
supported by FAST, the wizard can be 
a handy tool for an occasional ad hoc 
backup as well as for moving files and 
settings to a different computer. 


To start the wizard, open the Start 
menu and choose All Programs, 
Accessories, System Tools, Files And 
Settings Transfer Wizard—or simply 
type migwiz at a command prompt. 
When you get to the What Do You 
Want To Transfer page, be sure to 
select the check box that lets you 
specify a custom list of files and 
settings. On the wizard page that 
follows, you'll need to select and then 
remove settings, folders, and file 
types that you’re not interested in 


exporting. You'll find more details 
about FAST in our earlier book, 
Microsoft Windows XP Inside Out 
(Microsoft Press, 2001). 


Begin by looking within the program itself; many 
offer a File, Export command that you can use for 
backing up your data. If your program doesn’t 
have export capabilities, you might be able to 
find special-purpose add-in programs for backing 
up a particular program’s files and settings. 


E-Mail 


If you use Microsoft Outlook Express, you can 
back up your account settings, address book, and 
mail folders from within the program. Tom Koch’s 
excellent Web resource, Inside Outlook Express 5 
(http://www.tomsterdam.com/insideoe5/backup/ 
), explains how. (The information generally 
applies to Outlook Express 6 as well.) Microsoft 
offers similar information in Knowledge Base 
article Q270670. If you want to back up your 
newsgroup messages or program settings (such 
as signatures, message rules, view settings, 
blocked senders list, and so on), you'll need to 
either dive into the registry (see Knowledge Base 
article Q276511 for details) or use a third-party 
program such as Express Assist, from 
AJSystems.com, Inc. 
(http://www.ajsystems.com), or Express Archiver 
(http://www.expressarchiver.com). 


Users of Microsoft Outlook can perform most 
backup tasks from within Outlook. Knowledge 
Base articles explain how: See Q287070 for 
Outlook 2002 (part of Microsoft Office XP), 
Q196492 for Outlook 2000, Q184817 for Outlook 
98, or Q168644 for Outlook 97. Nonetheless, 


programs are available to make the process 
easier. Microsoft offers the free Personal Folders 
Backup add-in for Outlook 2002/2000 
(http://office. microsoft.com/downloads/2002/pfb 
ackup.aspx); for other Outlook versions or for 
more comprehensive backups, we recommend 
OutBack Plus, from AJSystems.com. 


If Eudora is your e-mail program of choice, check 
out BackDora, a shareware program from 
AjJSystems.com that backs up all or selected 
messages into a compressed file. (Eudora saves 
e-mail messages as individual plain-text files, 
which can chew up large amounts of disk space if 
left uncompressed.) BackDora can also back up 
Eudora’s system files and file attachments. 


Microsoft Office Settings 


As you use Microsoft Office, it creates a profile—a 
collection of settings that includes your Office 
program preferences and options, custom 
dictionaries, custom templates, AutoCorrect lists, 
and AutoFormat lists. These settings are 
scattered across various files and registry entries; 
finding them and backing them up manually is a 
real chore. Microsoft has a solution: the Save My 
Settings Wizard. This wizard is included with 
Office XP; users of Office 2000 can download the 
wizard from 

http://office. microsoft.com/downloads/2000/02ks 


msdd. aspx. 


To run the wizard, open the Start menu and 
choose Programs, Microsoft Office Tools, Save My 
Settings Wizard. The wizard backs up your Office 
profile to a file or to a secure Web site. You use 
the same wizard to restore your settings, either 
to the same computer or to another. (This makes 


it easy to configure Office on multiple 
computers. ) 


For information about backing up a 
Microsoft FrontPage Web to CD-R, see 
Knowledge Base article Q310511. 


Registry 


With Windows Backup, you can back up the 
entire registry by including System State in your 
backup selections. (System State also includes 
the COM+ Class Registration Database and boot 
files, such as Ntldr and Ntdetect.com.) System 
State is handy if you need to rebuild your system 
from scratch using your Windows Backup files. 
But it’s an all-or-nothing proposition; you can’t 
selectively back up or restore parts of the 
registry. 


A better tool for backing up certain registry keys 
—which is a good idea if you’re making changes 
to the registry—is Registry Editor (Regedit.exe). 
Use its File, Export command to back up a 
selected key, including all its values and subkeys. 


Using Other Data Loss Prevention Tools 
Included with Windows 


Windows includes some other utilities that can 
help to keep your data secure. Depending on 
which backup regimen you choose, you might 
want to use one or more of these tools on a 
regular basis to reduce the risk of data loss. 


Checking for Hard Disk Errors with 
Chkdsk 


Chkdsk is a command-line utility that checks a 
disk for file-system and media errors. Windows 
includes a graphical interface for Chkdsk (shown 
here), which you can display by right-clicking the 
disk in Windows Explorer, choosing Properties 
from the shortcut menu, clicking the Tools tab, 
and clicking Check Now. 


#-Selecting Automatically Fix File System Errors 
in this dialog box is equivalent to running Chkdsk 
with the /F switch. Choosing Scan For And 
Attempt Recovery Of Bad Sectors is equivalent to 
running Chkdsk with /R. Choosing this second 
option implicitly chooses the first as well; that is, 
if you check for media errors (bad sectors), the 
command also fixes the file system. 


Both of these options require that the system be 
granted exclusive control of the disk you want to 
check. If you have any open files or processes 
that require access to the disk, you are notified 
that the requested checkup cannot be carried 
out. You then have the option of having the 
system check your disk the next time you start 
your computer. If you accept, Windows performs 


the desired check at your next startup, before the 
logon screen appears. 


The easiest way to perform automatic file-system 
and media checks at regular intervals is to create 
a batch program that executes Chkdsk.exe and 
then create a scheduled task to execute the batch 
program. Chkdsk has some additional options not 
provided by the graphical interface; to see an 
explanation of these options, open a command 
prompt window and type chkdsk /?. 


Keeping an Up-to-Date Emergency 
Repair Disk 


If you use Windows 2000, you should create an 
Emergency Repair Disk (ERD). An ERD is a floppy 
disk containing data that might allow Windows 
2000 to get your system running again if it fails 
to start in the normal way. You should update 
your ERD regularly, as one of your routine 
maintenance procedures. That way, if the need 
ever arises, you'll have a reasonably current 
recovery disk at your disposal. 


To create an ERD, run Windows Backup. On the 
Welcome tab, click Emergency Repair Disk. 


The process of creating an ERD optionally creates 
a registry backup in %SystemRoot% 
\Repair\Regback. (The files are too large to fit on 
the floppy disk.) If your registry is damaged, the 
ERD recovery process can make use of this 
backup. However, these registry backup files, 
which include the Security Accounts Manager 
(SAM), make an attractive target for malicious 
hackers. Anyone who gains access to the 
Regback folder (which is open to all users) can 
view or make a copy of these files. Because of 
Syskey protection, the SAM is still a tough nut to 


crack. (For information about Syskey, see 
Nonetheless, some security experts suggest not 
using the option of creating a registry backup. 
Instead, use other tools (such as a disk image 
backup) to protect registry data. Alternatively, 
move the registry data from Regback to 
removable media that you keep in a secure 
location. 


For information about using the ERD, 


see Restoring_a System Using the 
Emergency Repair Disk. 


System Restore 


System Restore is a Windows XP service that 
runs in the background, keeping track of changes 
to your system. Once a day, System Restore 
automatically creates a snapshot of system files 
and registry data, storing it in hidden archives for 
safekeeping. In addition to the periodic snapshots 
(called restore points), System Restore creates a 
restore point when you take any of the following 
actions: 


e Install an unsigned device 
driver. When you attempt to install 
an unsigned hardware driver, 
Windows displays a warning 
message. If you choose to 
continue, System Restore creates a 
restore point before the installation 
proceeds. 


e Install an application that uses 
a System Restore-compatible 
installer. Applications that use 


Windows Installer (such as Office 
XP) or InstallShield Professional 
version 7 or later trigger creation of 
a restore point. 


Install a Windows update or 
patch. System Restore creates a 
restore point whenever you install 
an update using Windows Update or 
Automatic Updates. 


e Restore an earlier configuration 
using System Restore. When you 
revert to an earlier configuration, 
System Restore saves your current 
configuration so that you can undo 
the restore if necessary. 


e Use Windows Backup to restore 
data. When you restore files with 
Windows Backup, System Restore 
creates a restore point. If restoring 
the files causes problems with 
Windows system files, you can 
revert to a working configuration. 


You can also create your own restore points. To 
do that, open System Restore by clicking the 
Start button and choosing All Programs, 
Accessories, System Tools, System Restore. In 
the window that appears (see Figure 6-4), select 
Create A Restore Point and click Next. 


“-Figure 6-5. In addition to the 
automatically created restore points, you can 
create your own. 


System Restore does not back up any document 
files, e-mail files, or files in the My Documents, 
Favorites, Cookies, Recycle Bin, Temporary 
Internet Files, History, or Temp folders. 


Therefore, you can restore an earlier 
configuration without affecting any of the files 
that you have created or modified since the 
restore point was created. (For this same reason, 
of course, System Restore is useless as a backup 
system for your documents; that’s not its 
purpose.) 


To restore your system to a previous 
configuration, you must be logged on as a 
member of the Administrators group. Shut down 
all running programs, and make sure that no 
other users are logged on to the machine (either 
in inactive local sessions or across the network). 
Then start System Restore, select Restore My 
Computer To An Earlier Time, and click Next. In 
the window shown in Figure 6-6, you can select a 
date and a specific restore point on the selected 
date. 


“Figure 6-6. Bold text identifies dates on 
which one or more restore points were 
saved. 


Our earlier book, Microsoft Windows 
XP Inside Out (Microsoft Press, 2001), 


contains more details about System 
Restore. 


Protecting Backups 


Creating a good backup is half the battle; the rest 
is ensuring that the backup is in usable condition 
when you need it! Your backup media share some 
of the same risks as your primary data storage: 
the chance of theft, for example, or damage from 
fire, flood, tornado, hurricane, earthquake, and 
other natural disasters. 


In addition, outside your computer's protective 
case, your media are subject to some 
environmental risks, such as exposure to 
sunlight, temperature and humidity variations, 
and magnetic fields. By observing a handful of 
simple guidelines, however, you can protect your 
backups from damage. 


Bear in mind that magnetic media—tapes in all 
formats, removable disks such as Zip and Jaz 
disks, floppy disks, and so on—are sensitive to 
damage from magnetic fields. While that might 
seem rather obvious, it’s not always obvious 
where those magnetic fields lie. Most speakers 
and monitors contain a magnet and can generate 
data-destroying magnetic fields. Be sure to store 
your magnetic media away from such devices. 


If you’re going to keep your backups on-site, you 
should store all backup media—magnetic or 
optical—in a fireproof safe. Be aware, however, 
that most fireproof safes, which are designed for 
protecting business papers and the like from fire 
damage, are inadequate for protecting computer 
media. A safe is considered “fireproof” if its 
internal temperature remains below 350 degrees 
Fahrenheit for a specified amount of time— 
usually 20 to 30 minutes—while exposed to fire. 
Although that’s well below the flash point of 


paper (remember Ray Bradbury's Fahrenheit 
451?), magnetic media can become unusable if 
exposed to temperatures of about 280 degrees or 
higher. Some manufacturers of fireproof safes 
make “media safes,” which are specifically 
designed for protecting magnetic media (as well 
as film media, such as negatives, transparencies, 
microfilm, and the like) by keeping the internal 
temperature below 125 degrees during a fire. 
Manufacturers of media safes include the 
following: 


e FireKing International 


(http://www. fireking.com) 


e Schwab Corp. FireGuard Safes 


(http://www.schwabcorp.com/Medi 
aSafes.htm) 


e Sentry 
(http://www. sentrysafe.com) 


A media safe provides protection from theft as 
well as fire. Not all are waterproof, however, so 
flooding remains a threat, as does structural 
damage from earthquake and storms. Your best 
protection against such threats is to store your 
backup media offsite—somewhere away from 
your computer. The farther you can go, the 
better, as you'll gain greater protection against 
regional disasters such as earthquakes or 
wildfires. By putting some distance between your 
original data and the backups, you’re unlikely to 
lose both. Such an arrangement isn’t feasible for 
everyone, of course. (It’s particularly difficult if 
you work out of your home so that your “office” 
and your “home” are only a few feet apart.) Even 
so, you might be able store periodic full backups 
with a friend or relative. 
| 


Use Web-based backup 


Another way to set up an off-site 
backup is to use a Web-based backup 
service. For reasons outlined earlier i’n 
this chapter (see Backing_Up Selected 
Folders and Files), such services are 
generally impractical for full backups, 
but they can be useful for off-site 
backup of your most important files. A 
number of companies offer limited 
amounts of storage at little or no cost. 
These are a few of the more well 
known: MSN Groups 
(http://groups.msn.com), Yahoo! 
Briefcase 

(http://briefcase. yahoo.com), and 
Xdrive (http://reseller.xdrive.com). 


For the most effective use of off-site storage, 
follow these guidelines: 


e Set up a schedule to rotate media 
between off-site and on-site 
storage locations. 


e The schedule should be set up so 
that at no time are all recent 
backups on-site. The exchange of 
off-site and on-site media should 
occur at the off-site location 
(because the primary data—your 
hard drive—is at the on-site 
location) so that at least one set of 
recent backups is off-site at all 
times. 


e Maintain a log of backup media— 
and keep a copy at an off-site 
location. (If you keep the log in one 


or more text files, you could keep 
the log in a folder of a Web-based 
e-mail account. ) 


Recovering Data 


As its title suggests, this chapter is about 
protecting your data from loss. In this final 
section, we take a high-level look at some of the 
options available for recovering damaged or 
missing data. 


Recovering Individual Files from 
Backups 


Your most common data recovery task is likely to 
be restoring individual files. This need arises after 
the “Doh!” moment when you realize you’ve 
deleted or modified a file that you meant to keep. 
If you have a backup available, the task is 
simple: You can restore individual files by using 
the same program (or suite of programs) you use 
for backing up files. 


Windows Backup, for example, restores files from 
the backup media it creates. You can use its 
Backup Or Restore Wizard or the “advanced” 
interface, just as you can when you back up. 
Either way, you can select among your various 
backup sets and then select individual folders and 
files to restore. You have the option to restore 
files to their original location or to an alternative 
folder you specify. (If you use the wizard, click 
Advanced on the last wizard page to set these 
options; see Figure 6-7.) You can also specify 
what should happen if the files you’re restoring 
already exist on your computer. 


“-Figure 6-7. You can choose to restore your 
files to the original locations or to another 
location. 


You can also use tools that back up entire 
partitions to selectively restore files. If you back 
up a partition with Drive Image, for example, use 
ImageExplorer (a program included with Drive 
Image) to select and restore folders and files in a 
partition image file. (In versions of Drive Image 
earlier than 5, a program called Drive Image File 
Editor performs a similar function.) 


Restoring a System Using the 
Emergency Repair Disk 


In Windows 2000, the emergency repair process 
(the recovery measure that uses your ERD) can 
help you do the following: 


e Repair problems with system files 


e Repair problems with your startup 
environment, if you have a dual- 
boot or multiboot system 


e Repair the partition boot sector on 
your boot volume 


To use the emergency repair process: 


1. Start your computer from the 
Windows 2000 CD (if you can boot 
from a CD) or from the Windows 
2000 Setup disks. 


2. You'll be asked whether you want to 
continue installing Windows 2000. 
Answer yes. 


3. You'll be asked whether you want to 
do a full install or repair an existing 
installation. Choose the latter by 
pressing R. 


4. Indicate whether you want to 
perform a “fast repair” or a 
“manual repair.” 


5. Insert the ERD when prompted. 


A fast repair requires no further decisions from 
you. The repair process attempts to fix your 


system files, the boot sector, and your startup 
environment. If your registry appears to be 
damaged, the fast repair process restores the 
copy of your registry that the Setup program 
created when you first installed Windows 2000. 
(If your registry does not appear to be damaged, 
the fast repair process does not change it.) The 
repair process does not restore your own profile 
settings—the portion of the registry stored in the 
file Ntuser.dat. If that part of your registry is in 
good shape, your personal settings will still be 
intact. The rest of the registry, however, will 
revert to the condition it was in the day you 
installed Windows 2000. If you had the foresight 
to create a backup of your registry (via the 
System State option in Windows Backup or the 
equivalent in another backup program), you'll be 
able to use that backup to restore the registry to 
a more current condition. 


A manual repair lets you choose whether you 
want to repair the system files, the boot sector, 
or the startup environment (or any combination 
of those), but it doesn’t let you do anything with 
the registry. 


For more details about the differences between 
the fast repair and manual repair options, see 
Knowledge Base article Q238359. 


Restoring a System Using an 
Automated System Recovery Disk 


Automated System Recovery (ASR) is a feature of 
Windows XP Professional that’s intended to 
restore your system in the event of catastrophic 
failure. But it isn’t fully automated, and it can 
recover your system only if the ASR disk is 
accompanied by its full system backup, which is 
created by Windows Backup. An ASR backup set 
includes the complete contents of your system 
volume, plus information about the current 
arrangement of disk partitions, system files, and 
detected hardware. 


If you create the ASR set using 
Advanced Mode in Windows Backup, 
only the system volume is backed up. 
If you want to include other drives in 


the backup, use the Backup And 
Restore Wizard and select All 
Information On This Computer to back 


In the event of a catastrophic failure of your 
system volume, you can boot from the Windows 
XP CD, press F2 to run Automated System 
Recovery when prompted by Windows Setup, and 
then follow the prompts to restore your system. 


Booting from floppy disks 


If you can’t boot into Windows—or if 
you need to perform certain file 
operations that can’t be done while 
Windows is running—you can boot 
from your Windows CD. Follow the 
prompts, choose the option to repair 
your installation, and then choose 


Recovery Console. After you enter the 
password for the Administrator 
account, you'll see a simple command 
prompt. This command-line interface 
supports a limited number of 
commands, but they’re plenty 
powerful. For more information about 
Recovery Console, see our earlier 
book, Microsoft Windows XP Inside 
Out (Microsoft Press, 2001). 


But what if your computer doesn’t 
support booting from CD, or what if 
your computer didn’t come with a 
Windows CD? If you have Windows XP, 
you can download a file from Microsoft 
that creates a set of bootable setup 
floppy disks. For details, see 
Knowledge Base article Q310994. 


Recovering Data from a Damaged Hard 
Disk 


If, despite our admonitions, you don’t have a 
backup copy of your data when your hard disk 
crashes, all is not lost. Using sophisticated tools, 
data recovery services can often recover some or 
all of your data, even if your disk has been 
damaged by fire, flood, or other catastrophe. This 
service often comes at a steep price, however; it 
can cost thousands of dollars for recovery 
services. In addition, they aren’t always 
successful; sometimes the hard disk is too 
severely damaged. 


There’s no shortage of companies offering such 
services (proving our statement that most users 
don’t back up their data). An Internet search for 
“data recovery disk crash” turns up a large 
number of vendors for you to evaluate. 


Chapter 7 


Keeping Your System Secure 


So you’ve set up user accounts with secure 
passwords, installed virus protection, configured 
a firewall, and implemented the other security 
measures described in this book. You’re done, 
right? Unfortunately, no. 


Maintaining a secure system is an ongoing 
process. No sooner is one vulnerability eliminated 
than hackers discover another—and another. In 
this chapter, we examine a number of resources 
that you can use to help keep your computer 
system secure. In addition, we show you some 
ways in which you can confirm that your system’s 
defenses are in good shape. 


Security Checklist: Staying Secure 


e Use Windows Update to 
check for security 
updates. 


e Consider using 
Automatic Updates for 
automatic notification 
and (optionally) 
installation of updates. 


Subscribe to a security 
alert service to keep 
apprised of new security 
problems. 


Periodically check for 
changes to your security 
settings. For example, 
check the list of trusted 
sites in Internet Explorer 


to be sure that an 
installation program 
hasn’t surreptitiously 
added a site. (For 
details, see Using 
Security Zones.) Check 
to see whether new 
startup programs have 
been added. (See Table 
13-3) 


e Test your security 
settings periodically 
using Microsoft Baseline 
Security Analyzer or a 
similar tool. 


Keeping Current with Windows 
Update 


Windows Update is a service that provides online 
updates for Windows. The intent is to offer a 
single location where you can obtain service 
packs, updated device drivers, and security 
updates. Certain updates are designated as 
“critical updates”; these patches (also known as 
hotfixes) repair bugs that can hamper your 
system’s performance as well as compromise its 
security. 


Windows Update provides updates 
only to the Windows operating system 
and the various programs included 
with it. For updates to Microsoft Office, 
visit 


http://office.microsoft.com/productup 
dates. Security updates to other 
Microsoft products are announced via 
the Microsoft Product Security 
Notification Service; for details, see 
Receiving E-Mail Alerts. 


To run Windows Update in Windows XP or 
Windows 2000: 


1. Start Windows Update by doing any 
of the following: 


e In the Help And 
Support Center, under 
Pick A Task, click 
Keep Your Computer 
Up-To-Date With 
Windows Update 
(Windows XP only). 


e Open the Start menu 
and choose All 
Programs, Windows 
Update. (In Windows 
2000, simply open 
the Start menu and 
choose Windows 
Update.) 


e At a command 
prompt, type 
wupdmor. 


In Internet Explorer, 
open the Tools menu 
and choose Windows 
Update. 


In Internet Explorer, 
browse to 


http://windowsupdate 
„microsoft.com. 


The first method displays Windows 
Update within the constraints of the 
Help And Support Center window, 
as shown in Figure 7-1. If you use 
any of the other methods, Windows 
Update appears in an ordinary (full- 
featured) Internet Explorer window. 


“-Figure 7-1. You can run 
Windows Update within the 
friendly confines of the Help 
And Support Center. 


. Click Scan For Updates. 


. Click each of the three links on the 
left side—Critical Updates, Windows 
XP (or Windows 2000), and Driver 


Updates—to view information about 
and select available updates in 
those categories. 


Because you'll almost certainly 
want to install all critical updates, 
they’re selected by default. 


4. Click Review And Install Updates. 


Troubleshooting 


Windows Update doesn’t work. 


When you start Windows Update, it 
might display a “Software Update 
Incomplete” message. (This message 
appears before you have an 
opportunity to scan or select updates 
to install.) 


Windows Update requires the use of 
an ActiveX control, which is installed 
the first time you access the Windows 
Update site. To successfully install the 
ActiveX control, you must: 


e Be logged on asa 
member of the 
Administrators group 


e Enable (with prompting) 
the download and 
running of signed 
ActiveX controls. (Use 
settings on the Security 
tab of the Internet 
Options dialog box; for 
more information, see 
Using Security Zones.) 


e Click Yes in the Security 
Warning dialog box that 
asks whether you want 
to install the Windows 
Update control 


You must also be logged on as an 
administrator to use Windows Update. 
Once the ActiveX control is installed, 
an explanatory message appears if a 
nonadministrative user tries to run 
Windows Update. 


You can check for the presence of the 
ActiveX control and learn more about 
it by opening the 
%SystemRoot%\Downloaded Program 
Files folder in Windows Explorer. The 
control for Windows Update is called 
Update Class. 


Customize Windows Update 


Eagerly, you check Windows Update 
and discover there’s something new! 
The letdown comes on closer 
examination, when you discover that 
it’s the same old update to Microsoft 
Movie Maker, which you never use. 
Windows Update will almost certainly 
offer some updates in which you have 
no interest at all. You can, however, 
customize it to eliminate the display of 
individual items or entire sections of 
updates. 


To customize Windows Update in 
Windows XP (or Windows 2000), open 
Windows Update and scan for 
updates. Then click Personalize 


Windows Update (under Other Options 
in the left pane). 


Automating Your Updates 


Windows Updates are not distributed on a regular 
basis. Instead, they’re published when the need 
arises, such as when a patch is developed for a 
newly discovered security vulnerability. You can 
make a habit of regularly checking Windows 
Update to see what’s new, but there’s an easier 
way: you can use the Automatic Update Feature. 


Automatic Updates is not included on 
the Windows 2000 CD. Instead, it’s 
available as an update from@you 
guessed it@Windows Update. 
Automatic Updates replaces an earlier 


updating tool called Critical Update 
Notification, which is no longer 
supported. To install Automatic 
Updates, you must first install Service 
Pack 2 or later for Windows 2000. 


With Automatic Updates feature enabled, you 
don’t need to remember to visit the Windows 
Update site periodically. Instead, Automatic 
Updates checks for you and (depending on your 
settings) downloads updates in a way that 
throttles its use of your Internet connection 
bandwidth to avoid interfering with your normal 
use of the connection. With its default settings, 
Automatic Updates does not install any updates 
without your approval; it merely downloads the 
installation files to your computer. When one or 
more updates are ready to be downloaded or 
installed, Automatic Updates displays a pop-up 
message, shown in Figure 7-2. 


Automatic Update retrieves only 
critical updates. To view, download, 


and install other Windows updates and 
driver updates, you'll need to visit the 
Windows Update site. 


“-Figure 7-2. After the pop-up message 
disappears, you can open Automatic Updates 
by double-clicking its icon. 


Clicking the pop-up message (or, if you’re not 
quick enough on the draw, double-clicking the 
icon from which the message emanates) opens 
an Automatic Updates dialog box, as shown in 
Figure 7-3. To learn about the updates that are 
ready to be downloaded or installed, click Details. 
In a dialog box similar to the one shown in Figure 
7-4, you can select the updates you want to 
install. 


“-Figure 7-3. Click Remind Me Later if you 
don’t want to be bothered with an update 
installation right now. 


“-Figure 7-4. Automatic Updates displays a 
list of available updates when you click 
Details in the first dialog box. 


Install updates on your own 
schedule 


If you decide not to download or 
install a particular update and you 
clear its check box, you can install it 


at another time. To install an update 
that you previously rejected, open 
Automatic Updates as described in the 
following paragraph. Then click 
Declined Updates. 


To configure Automatic Updates in Windows XP, 
open Control Panel, System and then click the 
Automatic Updates tab. In Windows 2000, open 


Control Panel, Automatic Updates. In either 
operating system, a dialog box similar to the one 
shown in Figure 7.5 appears. To enable Automatic 
Updates, select teh Keep My Computer Up To 
Date check box. Then select one of the three 
options: 


e Notify me before downloading 
any updates and notify me 
again before installing them on 
my computer. This option is best 
for users of dial-up Internet 
connections. Automatic Updates 
obtains lists of updates, but doesn’t 
download them until you approve. 
Therefore, you won't consume 
download time for downloads you 
don’t want. 


e Download the updates 
automatically and notify me 
when they are ready to be 
installed. This option is most 
appropriate if you have a high- 
speed, always-on Internet 
connection, such as cable or DSL. If 
you decide not to install an update 
that has been downloaded, 
Windows deletes the dowloaded 
files from your computer. If you 
later change your mind, open 
Automatic Updates and choose 
Declined Updates. 


e Automatically download the 
updates, and install them on the 
schedule that I specify. This is 
the “set it and forget it” option; 
when it’s selected, Windows 


automatically downloads and 
installs each update that applies to 
your computer. You can specify 
either a daily or weekly schedule 
and the time of day for the updates 
to occur. 


Clearing the Keep My Computer Up To Date box 
disables Automatic Updates. Doing so is 
appropriate if you want to manage updates from 
a network location instead of having each 
computer download and install updates 
individually. (For details, see the following 
section. ) 


“-Figure 7-5. To have Windows check for 
updates automatically, choose either of the 
first two options. 


Monitor Windows Update 


If you encounter problems 
downloading or installing updates, you 
can enable “stepping mode.” In this 
mode, Windows Update stops at each 
step along the way and displays a 
dialog box; you must click a button to 
proceed. Stepping mode is also useful 
for identifying download locations and 
viewing command-line switches, and it 
provides entertainment for those 
people who are interminably curious 
about the inner workings of Windows. 


To enable stepping mode, use Registry 
Editor to open the 
HKLM\Software\Microsoft\Active Setup 
key. Create a new string value named 
SteppingMode and set its value data 


to Y. (To disable stepping mode, 
change the value data to N.) 


For more information about stepping 
mode, see Microsoft Knowledge Base 
article Q248439. 


Downloading the Update Files for 
Multiple Computers 


Some of the available updates are quite large, 
often exceeding 5 MB of data. And sometimes the 
file size shown in Windows Update is misleading; 
it indicates only the size of the installer for the 
update, not the update itself, which might be 
considerably larger. Particularly if you have a slow 
Internet connection, you'll want to minimize the 
bandwidth consumed by downloads from 
Windows Update. 


Although it’s not very well advertised (compared 
to the myriad ways to start Windows Update— 
only a portion of which are enumerated earlier in 
this chapter), Microsoft maintains Web sites 
where you can download stand-alone installable 
versions of the security patches and other 
updates for Windows. At the time of this book’s 
publication, one site (called Windows Update 
Catalog) offers updates for Windows XP, Windows 
2000 and Microsoft Windows .NET Server, and 
another site (called Windows Update Corporate 
Site) provides updates for Windows 2000 and 
earlier versions of Windows. 


The easiest way to access Windows Update 
Catalog is to open Windows Update, click 
Personalize Windows Update (in the left pane), 
and then select Display The Link To The Windows 
Update Catalog Under See Also. Click Save 
Settings to have a link to Windows Update 
Catalog appear in the left pane each time you 
visit Windows Update. Alternatively, you can use 
this direct link: 


http://v4. windowsupdate. microsoft.com/en/defau 


[t.asp?corporate=true 


To access Windows Update Corporate Site, 
browse to 


http://corporate. windowsupdate. microsoft.com 


Both sites let you search for updates based on 
operating system, language, date posted, 
content, and type of update. 


Download updates on a fast 
connection 


If you have a T1 or other fast Internet 
connection at work and a slow dial-up 


connection at home, use the Windows 
Update Catalog to download the 
updates using your fast connection. 
Burn the files to a CD-R, take it home, 
and run the setup files. 


Security Alert Services 


In this book, we offer plenty of specific 
information about steps you can take to secure 
your computer. But we don’t provide the level of 
detail that would, for example, suggest that you 
install the Internet Explorer patch described in 
Microsoft Security Bulletin MSO2-005. Such 
information would be obsolete even before this 
book is printed. Finding out about—and 
responding to—newly discovered security 
vulnerabilities is an ongoing task. 


Fortunately, you can rely on several services to 
keep you informed. The Automatic Updates 
feature advises you of Windows updates available 
from Microsoft. A number of other tools and 
services can alert you to additional security 
issues. 


Receiving Alerts Through Windows 
Messenger 


If you use Windows XP, you can get updated 
security information through Windows Messenger. 
You'll need Windows XP and Windows Messenger 
version 4.5 or later (not the version that’s 
included on the Windows XP CD). 


To get the latest version of Windows 
Messenger, use Windows Update or 


visit the .NET Messenger Service site 
at http://messenger.microsoft.com. 


With those components in place, sign in to 
Windows Messenger. In the Windows Messenger 
window, choose Tools, Show Tabs, McAfee.com. 
This adds another tab on the left side of the 
Windows Messenger window. Clicking the 
McAfee.com tab displays a window similar to the 
one shown in Figure 7-6. 


“-Figure 7-6. The McAfee.com tab offers an 

up-to-the-moment look at virus and security 
alerts, and includes links to more information 
on the McAfee.com Web site. 


If you want to be the first on your block to know 
about a newly discovered security problem, you 
can set up notification through .NET Alerts. You 
can choose to receive an e-mail message, an 
instant message, or even a pager message the 
moment McAfee.com issues a virus alert. Click 
the link at the bottom of the McAfee.com tab in 
Windows Messenger to sign up for .NET Alerts 
notification. That link takes you to a Web page 
where you can select which events will trigger an 
alert message. From that page, you can also 
configure your .NET Alerts delivery options. You 
might, for example, want to receive an instant 


message if your Windows Messenger status is 
online, a page during the day if you’re not online, 
and an e-mail message at other times. 


If you want to stop receiving alerts 
from McAfee.com, click the same link 
you used to sign up—the one at the 
bottom of the McAfee.com tab. To 
reconfigure your .NET Alerts delivery 
options after your initial setup, click 
the Microsoft .NET Alerts tab in 
Windows Messenger. (If it’s not 
displayed, first choose Tools, Show 
Tabs, Microsoft .NET Alerts.) Then click 
the pencil icon to edit your .NET Alerts 
settings. Alternatively, you can go 
directly to the Microsoft .NET Alerts 
Web site at 
http://alerts.microsoft.com. 


Although the McAfee.com tab in Windows 
Messenger is an interesting application of 
Microsoft .NET Alerts, you might find the not-so- 
subtle reminders of the dangers of viruses and 
the availability of McAfee solutions a bit 
overbearing. The vendors of antivirus programs 
usually have the best and fastest information 
about new viruses, but remember that their goal 
is to sell antivirus programs and services. You can 
expect some exaggeration of the dangers and the 
pervasiveness of virus outbreaks. 


Receiving E-Mail Alerts 


Several reliable sources offer subscriptions 
(usually free) to security alerts sent by e-mail. 
Some send a message only when a security issue 
is discovered (or when a patch is available, or 
both), whereas others publish on a regular 
weekly or monthly schedule, collecting that 
period’s advisories into a single message. Popular 
and trustworthy security alert e-letters include 
the following: 


e Microsoft Product Security 
Notification Service. Every 
system administrator should 
subscribe to this one, which 
delivers each Microsoft Security 
Bulletin as it’s released. (Expect 
five to ten messages per month.) 
The security bulletins from 
Microsoft are often the most 
authoritative because each bulletin 
provides confirmation of a security 
vulnerability and, more important, 
Microsoft’s patch or workaround to 
address the vulnerability. Although 
the bulletins generally describe 
security issues honestly and 
accurately, they’re narrowly focused 
on a single problem and a solution; 
you might find alternative solutions 
(as well as sometimes inflammatory 
discussions) from other sources. 
The security bulletins cover only 
Microsoft products. To subscribe, 
visit 
http://www. microsoft.com/technet/ 
security/notify.asp or send a blank 


message to 
securbas@microsoft.com. (With the 
second method, you don’t need a 
.NET Passport. ) 


CERT Advisories. The CERT 
Coordination Center (CERT/CC) 
issues advisories that explain an 
Internet security problem, including 
information that helps you 
determine whether you’re 
vulnerable and describes fixes or 
workarounds. To subscribe, visit 
http://www.cert.org/nav/alerts.htm 
L. (The CERT/CC also publishes a 
quarterly summary if you don’t 
want to be bothered with individual 
advisories. ) 


Security Alert. InfoWorld offers 
brief alerts of significant security 
issues along with links to the full 
story in InfoWorld magazine. To 
subscribe, visit 
http://www.iwsubscribe.com/newsl 
etters/. (At the same site, you can 
sign up for Security Adviser, a 
weekly security newsletter. ). 


Security UPDATE. This weekly 
security bulletin (along with 
occasional special alerts) from the 
publisher of Windows & .NET 
Magazine offers security tips and 
capsule descriptions of newly 
discovered vulnerabilities. It also 
includes links to sites with more 
information and fixes. To subscribe, 


visit 
http://www.secadministrator.com 

e Crypto-Gram. This monthly 
newsletter by security expert Bruce 
Schneier covers broader security 
issues and cryptography instead of 
providing alerts about particular 
vulnerabilities, putting security 
issues in context. To subscribe, visit 


http://www.counterpane.com/crypt 


o-gram.html 


e NTBugtraq. Security expert Russ 
Cooper leads the discussion of 
security exploits and security bugs 
in Microsoft Windows NT, Windows 
2000, Windows XP, and related 
applications. NTBugtrag and the 
similarly named BugTrag (described 
below) are the only discussion 
forums included in this list (the 
others are announcement-only 
mailing lists), but we include them 
because they offer such a wealth of 
information. To subscribe, visit 
http://ntbugtrag.ntadvice.com 


e BugTraq. BugTraq is a moderated 
mailing list that offers 
announcements and detailed 
discussions of computer security 
vulnerabilities; the descriptions of 
vulnerabilities often explain how to 
exploit them as well as how to fix 
them. To subscribe, visit 
http://online.securityfocus.com 


The alerts these services publish often overlap, 
and you probably won’t want to subscribe to all of 


them. But you should try each one to see which 
best meets your needs. You'll discover that some 
security mailing lists merely publish raw reports 
without validation or control; as a result, they 
can be sources of wild claims that may not stand 
the test of time or careful investigation. You'll 
soon develop your own sense of which ones 
provide accurate information and which ones 
spread panic and sensationalism. 


Be suspicious of security alerts you 
receive. Particularly if an alert directs 
you to a Web site to install a patch or 
an update, be absolutely certain that 
you know who it’s actually coming 
from. It’s all too easy to spoof an e- 
mail address; a malicious person could 
send a “security update” to you and 
make it appear that it’s from 
Microsoft, for example. How can you 
tell if an alert is legitimate? 


e If the message includes 
a “security patch” as an 
attachment, it’s 
definitely not from 
Microsoft. Microsoft (and 
most other reputable 
companies) never 
distributes patches or 
updates by e-mail. 
Microsoft distributes 
patches only by posting 
them to a Web site, and 
they’re always digitally 
signed. 


e Be extremely suspicious 
of a security update that 


comes from an 
unexpected source. (For 
example, if you receive 
a security message from 
“Microsoft” but you don’t 
subscribe to the 
Microsoft Product 
Security Notification 
Service, your radar 
should start beeping.) 


Be suspicious of a 
message with 
grammatical and spelling 
errors—a common trait 
of mail from script 
kiddies. 


Use the usual tools and 
methods for determining 
the true provenance of a 
message. For details, 
see How to Decode an 
E-Mail Header. 


Confirm the sender’s 
identity by examining 
the message's digital 
signature. For details, 
see Ensuring the 
Authenticity and 
Integrity of Your 
Messages. 


Visit the Web site of the 
purported sender to 
confirm information in 
an e-mail message. For 
example, to view an 
unaltered version of a 


legitimate Microsoft 
Security Bulletin, visit 
http://www. microsoft.co 
m/technet/security/curr 


ent.asp 


Other Sources for Security Alerts 


Many Web sites are devoted to issues of 
computer security. The roster keeps getting 
longer and the following list is far from 
comprehensive. It’s a good idea to visit one or 
more of these sites periodically to read about the 
latest security vulnerabilities. 


e Microsoft Security. You can find 
links to security bulletins and virus 
alerts here 
(http://www. microsoft.com/security 
Z), along with numerous security 
checklists, white papers, and other 
security information. 


e CERT Coordination Center. The 
CERT/CC is a federally funded 
research center operated by 
Carnegie Mellon University that 
studies Internet security issues, 
puts out advisories and incident 
notes, and provides a host of other 
security information at its site, 


http://www.cert.org. 


e SANS Institute. The SANS 
(System Administration, 
Networking, and Security) Institute 
is a research and education 
organization of computer security 
professionals. Its site offers 
security news, research 
publications, and much more. Go to 


http://www.sans.org. 


e SecuriTeam.com. Beyond Security 
(http://www. beyondsecurity.com), 


a company that performs 
vulnerability scans and security 
assessments, assembles a 
compendium of security news, 
alerts, and product reviews at 


http://www.securiteam.com. 


eEye Digital Security. eEye offers 
security products and consulting 
services—and has been 
instrumental in uncovering 
vulnerabilities in a number of 
computer programs. You can read 
about their discoveries at 
http://www. eeye.com/html/researc 
h/advisories/ 


Windows Security Guide. This 
site 

(http://www. winguides.com/securit 
y/) provides plenty of general 
information about security as well 
as frequent updates with details 
about the latest vulnerabilities and 
fixes. It not only covers Microsoft 
operating systems but also has 
pages dedicated to Internet 
Explorer, Internet Information 
Server, Microsoft BackOffice 
servers, and various application 
software from Microsoft and other 
publishers. 


Security Update. If you're put off 
by this site’s direct URL 
(http://techupdate.zdnet.com/tech 
update/filters/mrc/0,14175,602042 
4,00.html), you can start your 
navigation at the home page of 


ZDNet Tech Update 
(http://techupdate.zdnet.com) and 
click the Security link. 


Security Administrator. As part 
of Windows & .NET Magazine 
Network, this site supplies security- 
related news and information from 
the magazine. Visit 


http://www.secadministrator.com. 


SecurityFocus. The publisher of 
ARIS security products offers a 
searchable vulnerability database, 
security news updates, and ARIS 
ThreatCon, an “instantaneous 
measurement of global threat 
exposure” at its home page, 
http://www.securityfocus.com. 


3DSpotlight. Unlike the other sites 
in this list, 3DSpotlight is not 
focused exclusively on security. It’s 
a site for PC enthusiasts 
(particularly gaming enthusiasts) 
who are often at the bleeding edge 
of security issues for home users. 
Its OS Updates page 

(http://www. 3dspotlight.com/tweak 
s/updates/) is created with this 
audience in mind, and it does a 
reasonable job of providing current 
information about security updates. 


One other way to keep your ear to the ground on 
security issues is through the mainstream press. 
General circulation newspapers, television, and 
other broadcast media are paying more attention 
to computer security issues. The information they 
present is often sensational, only marginally 


accurate, and sometimes flat-out wrong. 
Nevertheless, it can provide a good “first alert” 
mechanism while you learn about the other news 
of the world. (After all, you don’t want to spend 
all your time focused on computer security! ) 


Testing and Verifying Your 
Secure Status 


Despite your best efforts, it’s often difficult to 
know for sure whether you’ve succeeded in 
securing your computer. How do you know that 
you've patched all your programs, set up secure 
passwords for all accounts, and secured your 
system against intrusion by outsiders? After all, 
the fact that no one has broken in yet doesn’t 
mean they can’t! 


Many security consultants and others provide 
various testing methods. Some will set their best 
attackers to work in an attempt to break into 
your network. Others use time-honored 
techniques such as creating a “honeypot”—a 
sacrificial system that attracts attackers. These 
services are typically beyond the reach of home 
users and small businesses. 


A number of free security scanners and security 
assessment tools are available, however. The 
following Web sites check for open ports that can 
be used in an attack, the existence of viruses or 
Trojan horses on your system, and certain 
security-related settings. None is absolutely 
reliable and some have something to sell or an 
axe to grind—but they can be useful tools for 
periodically assessing your security: 


e Microsoft Baseline Security Analyzer 
(http://www. microsoft.com/technet 
/security/tools/Tools/mbsahome.as 
p) 


e PC Flank (http://www. pcflank.com) 


e Secure-Me tests in the DSLR Tools 
section of DSLReports.com 


(http://www. dsi/reports. com/secure 


me) 


ShieldsUP! at Gibson Research 
Corporation (http://grc.com) 


e Symantec Security Check 
(http://security.norton.com) 


Checking Your Update Status with 
Microsoft Baseline Security Analyzer 


Even with the assistance of Windows Update, it’s 
tough to keep up with all the security fixes, 
patches, and other updates for Windows. 
Fortunately, a tool is available that quickly checks 
the status of security hotfixes. Microsoft Baseline 
Security Analyzer (MBSA) checks the very latest 
list of fixes and compares it with the ones that 
have been installed on one or more computers. 
In addition, MBSA checks the computers for 
common security vulnerabilities (such as weak 
passwords and improper or insecure 
configuration) in Windows, Internet Information 
Services (IIS), Internet Explorer, SQL Server, and 
Microsoft Office. 


Microsoft Baseline Security Analyzer 
replaces two earlier tools that 
provided similar, but less 
comprehensive, security checks: 
Microsoft Personal Security Advisor 
and Microsoft Network Security Hotfix 
Checker (more commonly identified by 
the name of its executable file, 
Hfnetchk). At the time of this book’s 
publication, Hfnetchk was still 
available (in fact, MBSA uses a version 
of Hfnetchk to perform some of its 
tests), but there’s no reason to use 
Hfnetchk instead of (or in addition to) 
MBSA. For information about 
Hfnetchk, see Knowledge Base article 
Q303215. 


You can use MBSA to check your own computer 
or other computers on your network. It looks for 


security hotfixes applied to the following 
operating systems and servers: 


e Windows NT 4 

e Windows 2000 

e Windows XP 

e Internet Explorer 5.01 and later 


e Internet Information Services 4.0 
and later 


e SQL Server 7 and 2000 
e Office 2000 and 2002 


To obtain the latest version of MBSA, use your 
browser to display the Microsoft TechNet article at 
http://www. microsoft.com/technet/security/tools 
/Tools/mbsahome.asp or the Knowledge Base 
article Q320454. Both articles include a link to 
the download site for MBSA, along with 
instructions for downloading, installing, and using 
this tool. After you download the MBSA setup file 
(Mbsasetup.msi), double-click it to run Microsoft 
Baseline Security Analyzer Setup, a 
straightforward setup wizard. 


To run MBSA, you must be logged on as an 
administrator. MBSA initially displays a screen 
such as the one shown in Figure 7-7. 


“Figure 7-7. MBSA uses an interface that’s 
similar to Windows Update. 


After you click one of the links shown in Figure 7- 
7, MBSA asks which computer (or computers) 
you want to check. As Figure 7-8 shows, you can 
specify computers by name or by IP address. In 
this same window, you select which tests you 
want to perform from the following choices: 


e Check for Windows 
vulnerabilities. Selecting this 
option causes MBSA to check for a 
variety of insecure settings. For 
example, it checks to see whether 
all hard disks are formatted as 
NTFS volumes, checks the status of 
the Guest account, and examines 
permissions on shared folders. 


e Check for weak passwords. 
MBSA checks the logon password 
for each user account and warns 
you if it finds blank or weak 
passwords. 


e Check for IIS vulnerabilities. 
With this option, MBSA examines 
your Internet Information Services 
configuration for insecure settings 
and to see whether the IIS 
Lockdown Tool has been run. For 
information about this tool and 
other IIS security issues, see 
Tightening Security on Internet 
Information Services. If you select 
this option and you don’t have IIS 
installed, MBSA reports only that 
ITS is not running. 


e Check for SQL vulnerabilities. 
This option checks for insecure 
settings in SQL Server. If you select 
this option and you don’t have SQL 
Server installed, MBSA reports only 
that SQL Server is not installed. 


e Check for hotfixes. Selecting this 
option causes MBSA to download 
the latest information and scan the 


specified computers for installed 
hotfixes. For this scan, MBSA uses a 
version of Hfnetchk, which uses a 
frequently updated XML database 
to check for hotfixes for each of the 
Microsoft products listed at the 
beginning of this section, except 
Microsoft Office. 


For each applicable hotfix, Hfnetchk 
checks the registry to see whether 
a particular key exists. It then 
checks the file version and 
checksum for each file installed by 
the hotfix to ensure that it’s the 
correct version and that it hasn’t 
been modified. 


“-Figure 7-8. If you choose to 
scan multiple computers, you 
can specify the name of your 
workgroup or domain, or you 
can specify a range of IP 
addresses in a window that’s 
only slightly different from this 
one. 


Scan your entire network 


You can scan all the computers on 
your local network at one time. You'll 
need to be logged on using an account 


that has administrative permission on 
each computer. Simply click the link to 
scan multiple computers, and then 
enter the name of your workgroup or 
domain in the Domain Name box. 


After MSBA completes its scan of the selected 
computers, it displays a report similar to the one 


shown in Figure 7-9. 


“-Figure 7-9. You can print the results of an 
MBSA scan by clicking the Print link in the 
left pane. 


Troubleshooting 


MBSA reports “no computers were 
found.” 


After you select a computer and 
instruct MBSA to scan it, the program 
cogitates for a few moments and then 
displays “Unable to scan all 
computers. No computers were 
found.” This rather misleading 


message merely means that your 
account is not an administrator 
account on the computer you’re 
attempting to scan. To scan your own 
computer, your account must be a 
member of the local Administrators 
group. To scan another computer on 
your network, you must use an 
account that’s a member of that 
computer’s local Administrators group. 


An icon by each test shows at a glance the status 
of the computer’s security settings. A red X 
indicates a critical vulnerability exists; a yellow X 
indicates that a computer failed a noncritical test. 
A green check mark, of course, is a good thing. 
The links beneath each test result lead to more 
information about the test. Figure 7-10 shows the 
window displayed by clicking Result Details under 
the first test shown in Figure 7-9. 


“-Figure 7-10. Clicking Result Details for the 
Local Account Password Test shows which 
accounts have a weak password. 


Clicking Result Details for the Windows Hotfixes 
test displays a list of hotfixes that have not been 
installed, with each missing hotfix identified by a 
Microsoft Security Bulletin number. (A Microsoft 
Security Bulletin identifier begins with MS 
followed by a two-digit number representing the 
year. The number following the hyphen is a 
sequential number.) To learn more about the 
missing hotfixes, you can click the link to display 
the bulletin. Each security bulletin includes a link 
to the hotfix, which you can download and install. 


Finding specific security bulletins 


You can navigate to a security bulletin 
by starting at 

http://www. microsoft.com/security/. 

Alternatively, you can go directly toa 
security bulletin. To display bulletin 


MS01-54, for example, use this URL: 


http://www. microsoft.com/technet/se 
curity/bulletin/MS01-054.asp 


To display another bulletin, simply 
replace the bulletin number at the end 
of the URL. 


Using links in the left pane, you can print your 
report or copy it (in HTML format) to the 
Clipboard for inclusion in another document. 


MBSA stores each of your test results as well. 
Each report is saved as an XML document in 
%UserProfile%o\Securityscans. To view the results 
of a previous scan, in MBSA’s left pane click Pick 
A Security Report To View. You can then click any 
report to review its results. 


Using MBSA Command-Line Options 


As an alternative to opening MBSA from its Start 
menu icon, you might find it more convenient to 
use a command prompt. At a command prompt, 
MBSA supports a rich collection of command-line 
parameters. By using these parameters, which 
are described in Table 7-1, you can create 
scheduled tasks or batch programs that allow you 
to automate the scanning process. MBSA displays 
its findings in a Command Prompt window (or in 
a text file if you use the /F parameter), but it also 
creates an XML report, just as the graphical 
version of MBSA does. 


To run MBSA from a command prompt, be sure 
the folder containing MBSA files (by default, 
%ProgramFiles%\Microsoft Baseline Security 
Analyzer) is the current folder and then type 
mbsacli followed by the appropriate parameters. 
For more information about MBSA command-line 
parameters, type mbsacli /? at a command 
prompt. 


Table 7-1. MBSA Command-Line Parameters 


Parameter Description 


Specifying Computers to Scan 


Parameter 


/C 


domainname\computername 


/I XXX.XXX.XXX.XXX 


/R_XXX.XXX.XXX.XXX- 


XXX. XXX. XXX.XXX 


/D domainname 


Description 


Identifies the 
computer to 
scan by 
specifying the 
name of the 
domain (or 
workgroup) and 
the name of the 
computer. If you 
don’t include the 
/C, /1, /R, or /D 
parameter, MBSA 
scans the local 
computer. 


Identifies the 
computer to 
scan by 
specifying its IP 
address. 


Identifies the 
computers to 
scan by 
specifying a 
range of IP 
addresses. 


Specifies 
scanning of all 
computers in the 
named domain 
or workgroup. 


Parameter 


Specifying Scan Options 


/N 


Specifying Output 


Description 


Specifies options 
to skip. You can 
follow /N with 
any of the 
following 
options: Hotfix 
(skips hotfix 
checks); IIS 
(skips Internet 
Information 
Services 
checks); OS 
(skips Windows 
operating 
system checks); 
Password (skips 
password 
checks); SQL 
(skips SQL 
Server checks). 
To skip multiple 
options, 
separate the 
option names 
with a plus sign 
(for example, /n 
lis+password). 


Parameter 


/O template 


/E 


/L 


/Ls 


/Lr reportname 


Description 


Specifies the 
name of the 
report file. The 
default template 
is %domain% - 
% 
computername% 
(Y%date%). 


Displays errors 
from the latest 
scan. 


Lists all saved 
report files. 


Lists reports 
from the latest 
scan. 


Displays the 
overview report 
from the saved 
reportname file. 
Enclose 
reportname in 
quotation marks. 


Parameter 


/Ld reportname 


/Qp 


/Qe 


/Qr 


/Q 


/F filename 


Description 


Displays the 
detailed report 
from the saved 
reportname file. 
Enclose 
reportname in 
quotation marks. 


Hides display of 
scan progress. 


Hides display of 
the error list. 


Hides display of 
the report list. 


Hides display of 
scan progress, 
error list, and 
report list. 


Redirects output 
to a file. 


Learning More About MBSA 


Two convenient resources supply additional 
information about MBSA: 


e Knowledge Base article Q320454 
provides detailed information about 
MBSA 


e The newsgroup 
microsoft. public.security.baseline_a 
nalyzer offers a discussion forum. 


Going Beyond MBSA 


The company that developed Hfnetchk and MBSA 
for Microsoft, Shavlik Technologies, offers 
HFNetChkPRO and EnterpriseInspector. (Can 
somebody show these people where the 
Spacebar is?!) These enhanced versions are 
designed for administrators of large networks and 
they provide a complete patch management 
solution. For details, visit http://www. shavlik.com 


Part 2 


Protecting Your Personal 
Computer 


Chapter 8 


Making Internet Explorer Safer 


If you subscribe to the Microsoft Security 
Notification Service (a practice we strongly 
encourage; see Receiving E-Mail Alerts.), you will 
almost certainly be alarmed by the steady stream 
of e-mail messages announcing newly discovered 
security holes in Microsoft Internet Explorer. If 
you're a casual Microsoft Windows user who 
reads these bulletins carefully, you might decide, 
quite logically, that most of the vulnerabilities 
described occur only under improbable 
circumstances and will not affect you if you 
observe reasonably safe browsing practices. That 
sort of devil-may-care attitude could easily result 
in catastrophe. 


In this chapter we describe how some of those 
catastrophes can occur. More important, we 
explain how to avoid them. Internet Explorer 
uses security zones to segregate the bad sites, 
the good sites, and the ones you're unsure of. 
Applying appropriate security settings to each 
zone ensures that the good guys can deliver a 
rich experience to your computer while the bad 
guys are severely restricted and can do no harm. 
While it might not rise to the level of 
“catastrophe,” another Internet plague is 
pornography and other inappropriate content; 
we'll show you how to keep unwelcome sites out 
of your household or business. We conclude the 
chapter with information about controlling 
ActiveX controls, Java applets, and scripts— 
ordinarily useful Web page components that can 
be the vehicles for malicious attackers to do their 
dirty deeds. 


One important technique for safe Web 
browsing is to send confidential 
information (such as credit card 
numbers) only to secure Web sites— 


that is, sites protected by Secure 
Sockets Layer (SSL) encryption. For 
details, see Protecting Your Identity. 


Security Checklist: Internet 
Explorer 


To keep unwanted code and content 
from hitching a ride on your Web 
connection, be sure to follow these 
sensible security rules: 


e Install the latest service 
packs, security rollups, 
and hotfixes. 


e Subscribe to the 
Microsoft Security 
Notification Service to 
learn about new security 
vulnerabilities as they’re 
discovered and as 
patches are released. 


e Review your security 
zone settings, 
particularly for the 
Internet zone, which 
encompasses all Web 
sites by default. (The 
default settings in 
Internet Explorer 6 are 
quite secure, but you 
might want to further 
restrict Web sites. ) 


e Add to your Trusted 
Sites zone sites that you 
know to be trustworthy 
and that need 
capabilities unavailable 
to sites in the Internet 
Zone. 


e Add to your Restricted 
Sites zone sites that you 
visit but that you would 
rather visit only while 
wearing surgical gloves. 


e Use Content Advisor to 
block objectionable 
content. 


When Web Pages Go Bad 


Even if you restrict your Web browsing to a 
carefully selected list of “safe” sites, you could 
fall victim to an outside attack that takes 
advantage of a security vulnerability in Internet 
Explorer. If you mistype a Web address, for 
instance, you could end up at a site that contains 
malicious or hostile code; pranksters and 
miscreants are notorious for registering domain 
names that are similar to those of Known, trusted 
sites, in hopes of snagging unwitting visitors. In 
fact, you don’t even have to open a browser 
window to fall victim to one of these exploits. The 
components that make up Internet Explorer are 
tightly integrated into Windows and into other 
programs, including Microsoft Outlook Express 
and other e-mail programs that render HTML- 
based messages. Detecting and patching these 
security holes is an ongoing problem that will 
never be completely solved. Microsoft’s security 
experts scramble to patch each new vulnerability 
as it’s discovered, but you can be certain that 
new ones will appear at depressingly frequent 
intervals. 


Most Internet security holes involve the 
deliberate misuse of basic features in the 
architecture of Internet Explorer, such as extra- 
long URLs that are specifically crafted to 
overwhelm internal buffers that hold data. These 
“puffer overflow” exploits can interrupt the 
normal execution of code, leaving the operating 
system in a state in which ordinary security 
precautions literally stop working. An attacker 
who sends a specific string of characters to a 
computer that is in this perilous state can install 
a virus or a Trojan horse, steal data, or alter the 


system configuration. Usually, the only certain 
defense against this sort of attack is to patch the 
underlying software so that it checks data buffers 
properly and discards URLs that are potentially 
harmful. 


Another class of security holes in Internet 
Explorer involves the use—or misuse—of some 
form of active content. In Windows parlance, 
active content refers to scripts or executable 
items—in the form of ActiveX controls and Java 
applets—embedded in or called from the HTML 
code that makes up the pages you download 
from the Web. The powerful capabilities of these 
components bring the Internet to life, allowing 
Web pages to do more interesting things than 
simply display text and hyperlinks. Without these 
extensions, much of the Web would be about as 
interesting and lively as a C-SPAN marathon. 
Allowing scripts, ActiveX controls, and Java 
applets to run on your computer, however, 
increases the risk that a poorly written or 
intentionally hostile bit of code will make 
unauthorized use of your computer’s resources. 


Whether you’re a Windows user or an 
administrator, your biggest challenge is to 
manage that risk so that you enjoy an acceptable 
level of Web functionality without endangering 
your computer or network. The principal tool that 
all versions of Internet Explorer since 4.0 have 
provided is a set of security “zones.” These zones 
allow you to segregate the Web sites you visit 
into categories, depending on the degree of trust 
you accord them. To each zone, you can apply a 
constellation of security settings so that the sites 
you trust are given greater latitude than the ones 
you do not trust. 


Changes to Internet Explorer’s 
security settings also affect other 
applications that use the Windows 
HTML rendering engine, including 
(among others) Outlook Express, 
Outlook, and other e-mail clients; 
Windows Media Player; Help and 
Support; Microsoft Money; and 
Quicken. This shared functionality has 
its benefits, of course: by securing 
Internet Explorer you also secure the 
HTML component of other applications 
that rely on Internet Explorer for 
HTML rendering. But shared 
functionality can also mean shared 
vulnerabilities. For example, the Klez 
worm-—a piece of malware that spread 
widely in 2002—exploits a 
vulnerability that allows it to execute 
itself when you open or merely 
preview an infected message in 
Outlook Express or Outlook. Because 
Microsoft patched this particular 
vulnerability early in 2001, users of 
Windows XP and users of Windows 
2000 who applied the patch ora 
subsequent security rollup, service 
pack, or updated version of Internet 
Explorer have not been affected. 
(Such users can, however, still 
contract the virus by manually running 
the file attached to an infected 
message.) The Klez episode offers two 
important lessons: vulnerabilities in 
Internet Explorer can have impacts on 
other applications, and you must keep 
to date on security patches. 


Using Security Zones 


Security zones provide a primary line of defense against Internet exploits. By 
default, all Web sites you visit are assigned to the Internet zone, and Internet 
Explorer severely restricts the types of actions that can be taken by sites in the 
Internet zone. As we explain in this section, you can lock down the Internet 
zone and other security zones even more tightly if you like. 


Internet Explorer gives you four configurable security zones by default: 
e The Local Intranet zone, for sites within your organization or 


behind your firewall. These sites are typically accorded a high 
level of trust. 


The Trusted Sites zone, for sites outside your firewall in which 
you have the highest trust—for example, those of your business 
associates. This zone is empty on a clean installation of Windows. 


e The Restricted Sites zone, for sites that you explicitly distrust. 
This zone is also empty on a clean installation of Windows. 


e The Internet zone, for all sites that don’t fall into any of the other 
categories. 


A fifth zone, called My Computer, is not normally configurable. Items such as 
ActiveX controls that were installed on your computer by Windows itself (as 
opposed to being downloaded from the Internet) run under the security 
settings of the My Computer zone. File URLs that reference local documents 
also run in the My Computer zone. (Documents that you save to your local file 
system, using Internet Explorer’s File, Save command, continue to run in the 
security zone for the site from which you downloaded them, however.) 


The right end of the status bar in Internet Explorer displays the 
zone for the currently displayed Web page. A page identified as 
Unknown (Mixed) zone contains one or more frames from different 
zones. 


In case these five zones do not meet all of your requirements, you can create 
custom security zones. For details, see Creating_a Custom Security Zone. 


Using security zones effectively requires awareness of the types of hazards that 
exist, an understanding of the various security settings that can be applied to 
each zone, and some discernment about which Web sites to put in which 

zones. This chapter will help with the first two of these requirements. 


To assign sites to zones or configure zones’ security settings, start by choosing 
Tools, Internet Options and clicking the Security tab. The available zones 
appear at the top of the tab, as shown in Figure 8-1. 


Figure 8-1. The Security tab in the Internet Options dialog box is your 
starting point for all security-zone operations. 


Use the Restricted Sites zone for your e-mail program 


Outlook Express, Outlook, and other programs that use Internet 
Explorer for HTML rendering also use its zones. You can tell such 
programs to use a particular security zone, and thereafter any HTML 
that is displayed is subject to the restrictions of that zone. For e- 
mail, which can harbor more nasties than a tuberculosis ward, you 
should use the Restricted Sites zone. 


To make the setting in either Outlook Express or Outlook, choose 
Tools, Options, click the Security tab, and then select Restricted 


Sites Zone. 


For more information about securing your e-mail program, see 
Chapter 10, “Keeping Your E-Mail Secure.” 


Configuring the Local Intranet Zone 


By default, the Local Intranet zone is set up to include the following site 
categories: 


e All local sites, excepting any that you have added to a different 
zone. 


e All sites that you have set up to bypass your proxy server. 


e All files referenced with UNC paths or accessed via My Network 
Places. 


Internet Explorer regards any URL without dots, such as http://localhost, as a 
local site. 


This interpretation of URLs led to a vulnerability when hackers 
realized that dotless IP addresses appeared in the Local Intranet 
zone. (A dotless IP address is a decimal equivalent of a full 32-bit IP 
address. These addresses provide a sneaky, yet legitimate, 
alternative to “dotted quad” IP addresses, which break the IP 
address into four 8-bit sections separated by periods, or dots.) This 
vulnerability, which does not affect Internet Explorer 6, is addressed 
in Microsoft Security Bulletin MSO1-051. 


If you regard any local sites as insufficiently trustworthy to merit the low- 
security settings typically assigned to the Local Intranet zone, you should 
explicitly assign those sites to a different zone. 


To remove one or more of these default categories from the Local Intranet 
zone, select Local Intranet on the Security tab of the Internet Options dialog 
box and click Sites. Then clear the appropriate check box or check boxes on 
the Local Intranet dialog box, shown in Figure 8-2. 


“Figure 8-2. By default, all check boxes are selected in the Local Intranet 
dialog box. 


Adding Sites to Zones 


To add a Web site to a zone, select the zone’s icon on the Security tab of the 
Internet Options dialog box and then click Sites. (To add a site to the Local 
Intranet zone, click Sites and then click Advanced.) A dialog box comparable to 
the one shown in Figure 8-3 appears. 


Type or paste the site’s URL into the Add This Web Site To The Zone box, and 
then click OK. To remove a site, select it and click Remove. Note the following: 


e Internet Explorer assumes the HTTP protocol. Entering 
www.microsoft.com is equivalent to entering 
http: //www.microsoft.com. 


e The Require Server Verification (HTTPS:) For All Sites In This 
Zone option, included in the dialog boxes for the Local Intranet 
and Trusted Sites zones (and selected by default), ensures only 
that the zone you’re currently entering is secured with SSL. You 
can mix and match secure and nonsecure sites in either zone. 
Simply clear the check box when you want to enter a site that 
doesn’t use the HTTPS protocol. 


Figure 8-3. You can add or remove sites from any zone except the 
Internet zone. 


e Entering the full path to any page at a Web site adds the entire 
site to the selected zone. For example, entering 
http: //www.msnbc.com/news/758061.asp is equivalent to 
entering http://www.msnbc.com. On the other hand, 
http: //www.msn.com is not equivalent to 
http://moneycentral.msn.com; MoneyCentral and MSN are 
distinct sites. 


e If you are accustomed to accessing a Web site by either its DNS 
name or its IP address, you'll need to create separate security- 
zone entries for each. For example, suppose you add 
http://www.edbott.com to your Restricted Sites zone. If you 
subsequently visit Ed’s site by navigating to http://66.96.244.85, 
you'll find that the site remains in the Internet zone because you 
didn’t create a separate Restricted Sites entry for the IP address. 


e To move a site from one zone to another, first delete it from its 
current site. Internet Explorer will reject a duplicate entry. Note, 
however, that Internet Explorer will let you put functionally 
equivalent but differently expressed URLs (IP address and DNS 
name, for example, or DNS without protocol and DNS with 
protocol) in different security zones. 


Check the list of trusted sites periodically 


Programs that run on your computer can add sites to a security 
zone, thereby giving those sites powers (or restrictions) that you 
don’t intend to grant. America Online, for example, puts its site in 
the Trusted Sites zone without notifying you. You should periodically 
review the added sites (especially Trusted Sites) and remove any 
that you don’t want included. 


Administering Internet Explorer security settings for others 


If you need to create standardized security settings for a workgroup 
or a domain, you'll want to download Microsoft’s Internet Explorer 
Administration Kit (IEAK) from 

http://www. microsoft.com/windows/ieak/default.asp. The IEAK lets 


you create and distribute a customized version of Internet Explorer. 


If you need to enforce a common security policy for all user 
accounts at a single computer, you'll find it simpler to use Group 
Policy (Gpedit.msc). To ensure that all users operate under the 
same security settings and with the same sites assigned to each 
security zone, in Group Policy open Computer 
Configuration\Administrative Templates\Windows 
Components\Internet Explorer. Enable the policies Security Zones: 
Do Not Allow Users To Change Policies and Security Zones: Do Not 
Allow Users To Add/Delete Sites. Then use User 
Configuration\Windows Settings\Internet Explorer 
Maintenance\Security\Security Zones And Content Ratings to 
configure the site assignments and security settings you want to 
enforce. 


You can also use Group Policy to create a machine-wide security 
policy. (Ordinarily, each user can establish his or her own security 
settings.) In Computer Configuration\ Administrative 
Templates\Windows Components\Internet Explorer, enable Security 
Zones: Use Only Machine Settings. (And use User 
Configuration\Windows Settings\Internet Explorer 
Maintenance\Security\Security Zones And Content Ratings to set up 
the machine-wide policies.) Internet Explorer then derives its 
security settings from the HKLM branch of the registry, instead of 
from HKCU. 


For more information about Group Policy, see Using the Group Policy 
Snap-In. 


Creating a Custom Security Zone 


The default security zones might suit your needs quite adequately. On the 
other hand, you might welcome the ability to fine-tune your security settings 
with the help of one or more extra zones. The Internet Explorer user interface 
doesn’t let you create additional security zones, but with some relatively simple 
registry manipulation, you can do it. The available security zones, their 
properties, and their current security settings (but not the Web sites assigned 
to each zone) are controlled by the HKCU\Software\ 
Microsoft\Windows\CurrentVersion\Internet Settings\Zones registry key. 


This key has the following subkeys: 


Subkey Represents 


0 My Computer zone 

1 Local Intranet zone 
2 Trusted Sites zone 

3 Internet zone 

4 Restricted Sites zone 


You can create custom security zones by adding more subkeys. 


The simplest way to create a custom security zone is to clone one of the 
existing keys and then modify the clone. Follow these steps: 


1. If you’re using Windows XP, use System Restore to create a new 
restore point. (Choose Start, Help And Support, and then click 
Undo Changes To Your Computer With System Restore.) 


It’s always a good idea to create a restore point before you make 
any but the most minor registry changes. If you make a mistake, 
you can close Registry Editor and revert to the restore point. 
Unfortunately, Windows 2000 has no System Restore feature; the 
nearest equivalent is to back up the System State using Windows 
Backup. 


2. Open Registry Editor and navigate to 
HKCU\Software\Microsoft\Windows\ CurrentVersion\Internet 
Settings\Zones\2. 


It’s best to clone either the Trusted Sites zone (zone 2) or the 
Restricted Sites zone (zone 4) because the other zones have 
properties you don’t want to duplicate. (The Local Intranet zone 
is set up to recognize sites behind your firewall, and the Internet 
zone doesn’t allow you to add sites.) 


3. Choose File, Export and save the selected key as a .reg file. 
4. Close Registry Editor. 


5. In Windows Explorer, right-click the saved .reg file and choose 
Edit. 


In Notepad or another text editor, your .reg file will look 
something like this: 
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6. Edit the line that begins with /HKEY_CURRENT_USER, changing 
the \2] at the end to \5/. 


10. 


You can use any number, actually, but 5 will do. 


. Edit the “DisplayName” and “Description” lines to provide a name 


and description for your new zone. (Unfortunately, these values 
are ignored by some versions of Internet Explorer; in that case, 
you end up with a default display name of “Your Computer.”) 


. Change the “Icon” line so that Internet Explorer will display a 


different icon on the Security tab of the Internet Options dialog 
box. (If you don’t have a particular icon in mind, you can use one 
of the following icons by placing its value after inetcp/.cp/#0000, 
replacing 4480.) 


“| Finding an icon 

Icons can be stored in a variety of forms, but they’re 
quite commonly embedded in executable files (.exe 
extension) and dynamic link libraries (.dll). A resource 
viewer lets you display a file’s icons (along with plenty 
of other hidden information). One resource viewer 
that we've found useful is Resource Hunter 


(http://www. boilsoft.com/rchunter.html), from which 


the illustration in step 8 was captured. 


. Edit the “MinLevel” and “RecommendedLevel” lines. 


The MinLevel value specifies the lowest security level you set for 
a zone without receiving a warning prompt from Internet 
Explorer. (A “security level” is a collection of security settings that 
you can apply with the slider control in the Internet Options 
dialog box.) The RecommendedLevel is the zone’s default 
security-level setting (the one to which you can revert with a 
single click in the dialog box). 


The available MinLevel and RecommendedLevel settings are as 
follows: 


Value (Hexadecimal) Setting 


0x00010000 Low 
0x00010500 Medium-Low 
0x00011000 Medium 
0x00012000 High 


Edit the “Flags” line. 


The Flags value sets various properties for the security zone— 
including whether the zone is visible in the Internet Options 
dialog box and whether you are allowed to add sites or change 
security settings. To set the Flags value, add the values you want 
from the table that follows and then convert the sum to 
hexadecimal notation. 


Value Setting 


Value Setting 


1 Allow changes to custom settings 

2 Allow users to add Web sites to this zone 

4 Require HTTPS protocol 

8 Include sites that pass the proxy server 

16 Include sites not listed in other zones 

32 Ee not show this zone in the Internet Options dialog 
Ox 


64 Include the Require Server Verification (HTTPS:) For 
All Sites Listed In This Zone check box. 


128 Treat UNC paths as intranet connections. 


So, for example, to create a zone that lets you add sites and 
make custom security-setting changes, you would make the 
“Flags” line read 


"Flags"=dword: 00000003 


11. Save your edited .reg file. 


12. In Windows Explorer, double-click the .reg file and click Yes in the 
confirmation prompt. 


The remaining lines in the .reg file specify security settings. You don’t need to 
be concerned with them because you can adjust these settings with the 
Internet Options dialog box. (See the following section, Configuring Security 
Settings. ) 


For more information about the registry entries for security zones, see 
Microsoft Knowledge Base article Q182569. 


A third-party security-zone editor is available at 


http://www. geocities.com/ SemperFi /ieze/. The editor does not 


currently work with Internet Explorer 6, however. 


Making the My Computer zone visible 


The security settings for the My Computer zone are not normally 
accessible in Internet Explorer. You can view and change them using 
the Internet Explorer Administration Kit (IEAK). Or you can make 
them accessible in the standard Internet Explorer user interface by 
subtracting 32 (decimal) from the current data in the Flags value of 
the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\0 registry key. Be aware, though, that Microsoft 
makes these settings inaccessible by default for a good reason. The 
many ActiveX controls used by the operating system and local 
applications are limited by these security settings. You should not 
change the settings unless you are absolutely sure you know what 
you're doing. 


Configuring Security Settings 


Internet Explorer includes four “prepackaged” constellations of security settings 
and applies them by default to the four standard security zones, as follows: 


Security zone Default security settings 


Local Intranet Medium-Low 
Trusted Sites Low 
Restricted Sites High 


Internet Medium 


To change from one group of settings to another, select a zone on the Security 
tab of the Internet Options dialog box and then move the Security Level For 
This Zone slider. If the slider isn’t visible, that means that some custom 
security settings have already been set for that zone. To make the slider 
reappear, click Default Level. Notice that the settings applied by default to your 
Trusted Sites zone are more lenient than those applied to sites within your 
organization (Local Intranet zone). If you stick with these defaults, don’t give 
Trusted Sites status to any Web site that you don’t trust as much as the 
servers in your own building. Also be aware that the default settings for the 
Restricted Sites zone disable essentially anything that moves. 


The individual settings associated with each of the security levels in Internet 
Explorer 6 are listed in Table 8-1. Note that these are factory defaults (as are 
all defaults mentioned in the following pages). If you are using a copy of 
Internet Explorer that has been customized by your administrator, your 
defaults might differ. 


Table 8-1. Default Security Settings in Internet Explorer 6 


Security Setting Low Se Medium High 


ActiveX controls and plug-ins 


Download signed ActiveX Enable Prompt Prompt Disable 
controls 
Download unsigned Prompt Disable Disable Disable 


ActiveX controls 


Initialize and script Prompt Disable Disable Disable 
ActiveX controls not 
marked as safe 


Run ActiveX controls and Enable Enable Enable Disable 
plug-ins 
Script ActiveX controls Enable Enable Enable Disable 


marked safe for scripting 


Security Setting 


Downloads 
File download 
Font download 
Microsoft VM 


Java permissions 


Miscellaneous 


Access data sources 
across domains 


Allow META REFRESH 
Display mixed content 


Don’t prompt for client 
certificate selection when 
no certificates or only 
one certificate exists 


Drag and drop or copy 
and paste files 


Installation of desktop 
items 


Launching programs and 
files in an IFRAME 


Navigate sub-frames 
across different domains 


Software channel 
permissions 


Submit nonencrypted 
form data 


Userdata persistence 


Low 


Enable 


Enable 


Low Safety 


Enable 


Enable 
Prompt 


Enable 


Enable 


Enable 


Enable 


Enable 


Low Safety 


Enable 


Enable 


Medium- 
Low 


Enable 


Enable 


Medium 
Safety 


Prompt 


Enable 
Prompt 


Enable 


Enable 


Prompt 


Prompt 


Enable 


Medium 


Safety 


Enable 


Enable 


Medium 


Enable 


Enable 


High 
Safety 


Disable 


Enable 
Prompt 


Disable 


Enable 


Prompt 


Prompt 


Enable 


Medium 


Safety 


Prompt 


Enable 


High 


Disable 


Prompt 


Disable 
Java 


Disable 


Disable 
Prompt 


Disable 


Prompt 


Disable 


Disable 


Disable 


High 


Safety 


Prompt 


Disable 


Medium- 


Security Setting Low Low Medium High 
Scripting 

Active scripting Enable Enable Enable Disable 
Allow paste operations Enable Enable Enable Disable 
via script 

Scripting of Java applets Enable Enable Enable Disable 


User authentication 


Logon Automatic Automatic Automatic Prompt 
logon with logon logon for user 
current only in only in name 
username and Intranet Intranet and 
password zone zone password 


With regard to security settings, the most significant difference between 
Internet Explorer 6 and Internet Explorer 5 is that the cookie settings in 
version 5 have been removed altogether. In Internet Explorer 6, you set cookie 
policies on the Privacy tab of the Internet Options dialog box. (For details, see 
Managing_Cookies.) In addition to this change, Internet Explorer 6 tightened 
certain security settings. If you upgrade Internet Explorer 5 to version 6, most 
of your security settings are retained. However, under high security (the 
default for the Restricted Sites zone) in Internet Explorer 6, Java and scripting 
are disabled, regardless of how they were set in version 5. 


Now let’s look at the individual security settings. To configure any of these 
settings, select a zone, click Custom Level, and then fill out the dialog box 
shown in Figure 8-4. 


“Figure 8-4. You can configure individual security settings for any zone 
using this dialog box. 


ActiveX Security Settings 


ActiveX controls, because their power makes them potentially dangerous, are 
tightly restricted by default. 


Download Signed ActiveX Controls. This setting determines whether 
Internet Explorer is allowed to download controls that can be assumed to be 
authentic and unaltered. Because a signature is no guarantee that a control will 
have no harmful effect, Internet Explorer, by default, downloads without a 
prompt only from sites in your Trusted Sites zone (and blocks all Activex 
controls, signed or not, for sites in the Restricted Sites zone). No matter how 
much confidence you have in your most trusted sites, you might want to 
consider bumping this setting from Enable to Prompt in the Trusted Sites zone. 


Download Unsigned ActiveX Controls. By default, Internet Explorer blocks 
unsigned ActiveX controls without a prompt in all zones but Trusted Sites. If 
your organization develops and tests controls in house, you might want to 
change the Local Intranet setting from Disable to Prompt so that you have 
intranet access to those controls before they’re signed. You should definitely 
not download unsigned controls from outside sources, however. 


Initialize And Script ActiveX Controls Not Marked As Safe. This setting 
determines whether Internet Explorer will allow initialization and/or scripting of 
ActiveX controls that don’t have the appropriate “safe for” signatures. Unless 
you're testing a control under development or have some other compelling 
reason to practice unsafe ActiveX, you don’t want to change the defaults for 
this setting. For information about these signatures, see The Safe for 
Initialization and Safe for Scripting Flags. 


Run ActiveX Controls And Plug-ins. Internet Explorer’s default security 
settings allow it to run downloaded ActiveX controls and plug-ins without a 
prompt in all zones except Restricted Sites, where controls and plug-ins are 
disabled. (A plug-in is an installed application used to render Internet content. 
Adobe Acrobat Reader, which renders the PDF file type, is a widely used plug- 
in.) If you have concerns about the safety of ActiveX, you might want to 
tighten this setting—or take advantage of a fourth option, which allows only 
administrator-approved controls to run. (For details, see Permitting_Only 
Administrator-Approved Activex Controls to Run.) 


Script ActiveX Controls Marked Safe For Scripting. This setting 
determines whether controls loaded with the <param> tag are allowed to 
interact with scripts. The setting is enabled in all zones except Restricted Sites, 
where it is disabled. In earlier versions of Internet Explorer, the setting was 
enabled for all sites. If you upgraded from Internet Explorer 5, even sites in 
your Restricted Sites zone will be allowed to script ActiveX controls. You should 
definitely disable such scripting in the Restricted Sites zone. 


For information about what ActiveX controls are, how they're used 
in Internet Explorer, and how to work with them, see Managing 
ActiveX Controls. 


Download Settings 


File and font downloads are enabled by default for all zones except Restricted 
Sites. (File downloads from Restricted Sites are disabled by default; font 
downloads generate a confirmation prompt.) Provided you have an up-to-date 
virus checker installed, the defaults are reasonable. 


Java Security Settings 


The Microsoft VM section of the Security Settings dialog box includes the 
following options: 


e Custom 

e Disable Java 

e High Safety 

e Low Safety 

e Medium Safety 
If you choose a high, low, or medium safety setting, Internet Explorer allows 
applets in the zone to run, provided the permissions requested by the applet 


do not exceed a certain level. If they do exceed that level, the browser issues a 
prompt and awaits your decision. 


The High Safety setting corresponds to the traditional Java sandbox. For 
information about the permissions accorded a sandboxed applet, see Managing 
Java Applets. 


The Medium Safety setting allows the applet to do the following (in addition to 
what it can do under High Safety): 


e Access scratch space—a storage area on your computer that lets 
the applet create temporary files without having full use of your 
file system. 


e Perform user-directed file input and output. 
Under Low Safety, the applet can also do the following: 


e Perform other (not user-directed) file input and output 

e Execute other applications on your computer 

e Create and use dialog boxes 

e Provide thread group access in the current execution context 


e Open network connections with computers other than the 
applet’s host 


e Load libraries on your computer 


Make calls to Windows dynamic load libraries (DLLs) 


Create a pop-up window without the customary warning that the 
window was created by an applet. 


Exit the Microsoft VM 


e Read and write to the registry 
e Print 


e Create a class loader 


In other words, a Java applet running under low security (the default setting 
for the Trusted Sites zone) could, if it were signed with corresponding 
permissions requests, become comparable in power to an ActiveX control. If 
you're not comfortable with that level, choose a higher one. Remember that 
applets that need more power than you grant can still run (unless you disable 
Java altogether); they just require you to answer a prompt. 


If the standard Java security settings don’t meet your needs, choose custom 
and then click the Java Custom Settings button that appears. In the ensuing 
dialog box, you can do a considerable amount of fine-tuning. 


Miscellaneous Security Settings 


Virtually every configuration process in Windows has a collection of settings 
that don’t neatly fit anywhere else. Security Settings is no exception, and you'll 
find that collection under the Miscellaneous heading. 


Access Data Sources Across Domains. This setting determines whether a 
component (an ActiveX control or an applet) that needs to connect to a data 
source is allowed to connect to a domain other than the one from which it was 
downloaded. Because cross-domain access is potentially hazardous, Internet 
Explorer does not permit this by default in the Internet or Restricted Sites 
zone. 


Allow META REFRESH. A META REFRESH tag redirects you to a different 
server after a specified delay. Usually, this service is benign and welcome 
because it gives Web site operators a way to leave a forwarding address if they 
move to a different URL. Because you might not trust the site you’re being 


redirected to, however, Internet Explorer gives you the means to turn META 
REFRESH off. (With the setting configured to Disable, you can still read the 
forwarding URL at the site from which you would otherwise be redirected, 
copying it into the Address bar if you trust the destination site.) The Allow 
META REFRESH setting was added with Internet Explorer 6, probably because 
of a class of redirect exploits (now patched) like one that affected Windows 
Media Player. 


Display Mixed Content. By default, Internet Explorer prompts for permission 
in all security zones when a site wants to display both secured and unsecured 
content. This can occur, for example, if a Web page on a secure site draws 
images or framed content from an unsecured site. The risk here is that, if such 
a page asks you for confidential information, it’s difficult to know whether your 
response will be transmitted over a secure, encrypted connection. There’s no 
risk in viewing information on pages with mixed content, but you should be 
cautious about sending information (by completing a form, for example) from a 
mixed-content page. If you find the prompts annoying, you can change the 
setting to Enable. 


To determine whether a form or other part of a mixed-content page 
is secured, right-click the part of the page in question, choose 
Properties, and check the URL. If it begins with https://, you can 
proceed safely. 


Don’t Prompt For Client Certificate Selection When No Certificate Or 
Only One Certificate Exists. Certain secure Web sites are configured to 
request a client certificate—that is, a personal certificate that identifies you and 
has a root trusted on the server. With this setting disabled (the default), 
Internet Explorer displays a list of certificates that you can use. If you have 
only one personal certificate that’s trusted by the site’s server, you can bypass 
this prompt by enabling this setting. 


Drag And Drop Or Copy And Paste Files. With this setting enabled (as it is 
by default in the Local Intranet and Trusted Sites zones), the possibility exists 
that a control or a script could move from a site where it’s restricted to a 
lower-security site where it could party till dawn. If you don’t have 100 percent 
confidence in your Trusted Sites or Local Intranet sites, consider changing this 
setting to Prompt. 


Installation of Desktop Items. This setting, enabled by default only in the 
Trusted Sites zone, allows you to guard against a security vulnerability that, 
under particular circumstances, could allow a user to gain unauthorized 
privileges on a Windows 2000 or Windows XP computer. For more information 
about this vulnerability, see Microsoft Security Bulletin MSO0-020 


(http://www. microsoft.com/technet/security/bulletin/ms00-020.asp). 


Launching Programs And Files In An IFRAME. IFRAMESs are in-line, or 
floating, frames often used for pop-up windows; security problems involving 
this type of frame typically exploit buffer overflow vulnerabilities or hostile 
script. The IFRAME setting, enabled by default only in the Trusted Sites zone, is 
designed to eliminate a security vulnerability that could allow a malicious Web 
site to read files on your computer. For more information, see Microsoft 
Security Bulletin MS99-042. 


Navigate Sub-Frames Across Different Domains. This setting allows you to 
work with pages that use frames. In some cases, a Web site uses a frame to 
encapsulate a page from another site on a different domain. Disabling this 
setting, which is the default in the Restricted Sites zone, prevents the display 
of another site in a frame. 


Software Channel Permissions. This setting controls the permissions given 
to software distribution channels. Three options are available: High Safety, Low 


Safety, and Medium Safety. High Safety prevents you from being notified about 
software updates by e-mail and keeps software from being automatically 
downloaded and installed onto your computer. Low Safety allows you to receive 
e-mail notification and allows automatic downloading and installation. Under 
Medium Safety, you get the e-mails and downloads (provided the software is 
digitally signed), but no automatic installation. 


Submit Nonencrypted Form Data. This setting affects the transmission of 
forms data over non-SSL connections. Disable prevents; Enable allows; and 
Prompt prompts. 


Userdata Persistence. Introduced with Internet Explorer 5, “userdata 
persistence,” if enabled, allows a Web site to create XML files that can store a 
large quantity of personal information for subsequent reuse by the Web site. 
These files, called “supercookies” by some, don’t present any particular 
security risk, as they can store only items that you choose to enter yourself, 
either directly through a form you type in or indirectly through database 
recordsets returned to your computer as the result of a query. The benefit of 
these files is avoiding the need to fill in a form again or to run a Web query 
again; many online merchants rely on userdata persistence to make their 
shopping cart feature work. Nonetheless, if you regard this innovation as an 
end-run around the privacy protection afforded by Internet Explorer 6’s support 
of the Platform for Privacy Preferences (P3P), you can set Userdata Persistence 
to Disable. By default, the setting is Enable for all zones other than Restricted 
Sites. (For more information about cookies and P3P, see Managing Cookies.) 


Scripting Security Settings 


Scripts are programs embedded within a Web page, which have the potential to 
engage in dangerous behavior. For a discussion of the pros and cons of 
scripting, see Managing Scripts. 


Active Scripting. The Active Scripting setting determines whether scripts are 
allowed to run on Web pages. Scripting is enabled by default in all zones but 
Restricted Sites. 


Allow Paste Operations Via Script. In 1999, a security flaw was found in 
Internet Explorer 5 that allowed scripts, under certain conditions, to copy data 
from the user’s Clipboard to the host Web site. Microsoft recommends that if 
you are concerned about this possibility, you should set Allow Paste Operations 
Via Script to either Prompt or Disable. Note that the setting is enabled by 
default in all zones but Restricted Sites. 


Scripting Of Java Applets. This setting determines whether scripts are 
allowed to interact with Java applets. The setting is enabled in all zones except 
Restricted Sites. 


User Authentication Settings 


The Logon settings options determine what happens if a Web site requests your 
logon credentials. You might think it convenient to have Internet Explorer log 
you on automatically—but don’t allow automatic logon anywhere except 
(possibly) in the Local Intranet and Trusted Site zones. The reason is that a 
malicious Web site operator could, without your knowledge or permission, 
request your logon credentials. (Internet Explorer actually responds with your 
user name and an encrypted hash of your password—not the actual password. 
But given enough time, the perpetrator could use this information to crack your 
password.) For more information about this exploit, see Microsoft Security 
Bulletin MSO1-001. 


Using Content Advisor to Block 
Objectionable Content 


As you’ve undoubtedly discovered, the Internet 
has some rather seedy corners. Legislators have 
tried to regulate Internet content, generally 
without success. The desire to permit unfettered 
speech, as well as a collective inability to define 
and agree on what constitutes unacceptable 
content, ensures that the Internet will have 
something to offend every taste and moral 
standard for a long time to come. Although 
objectionable content is not a security issue in 
the sense that it threatens the well-being of your 
hardware and data, some users might consider it 
a threat to other aspects of their well-being. 
Offensive content can be an issue not only for 
parents, but also for businesses that want to 
prevent time-wasting and lawsuit-attracting Web 
surfing of inappropriate sites. 


Internet Explorer addresses these concerns with 
a feature called Content Advisor. When Content 
Advisor is enabled, if a user tries to go to a Web 
page with content that is restricted by the 
standards you set, Internet Explorer won't show 
the page. Instead it displays a warning message. 
Users who know the supervisor password (you 
supply this password when you first enable 
Content Advisor) can bypass the warning and 
view the page. 


Unlike other security settings, Content 
Advisor settings apply to all users ona 
computer. Therefore, the settings you 
make while logged on using your 
account will apply to others who use 
your computer. To modify Content 


Advisor settings, you must be logged 
on as an administrator. 


By default, Internet Explorer comes with one 
rating system, RSACi—the Recreational Software 
Advisory Council’s Internet rating system. This 
system is being supplanted by the Internet 
Content Rating Association (ICRA) system, so you 
should install that system as well. (For details 
about the two systems, see the ICRA Web site at 


http://www.icra.org.) 


To install the ICRA rating system and set up 
Content Advisor, follow these steps: 


1. Download the .rat file (as in 
“ratings,” not “you dirty rats!”) for 
the ICRA system from 
http://www.icra.org/icra.rat, and 
save it to the 
%SystemRoot%\System32 folder. 


2. In Internet Explorer, choose Tools, 
Internet Options, and then click the 
Content tab. 


3. Under Content Advisor, click Enable. 
(If you’ve already enabled Content 
Advisor, click Settings instead.) The 
Content Advisor dialog box 
appears. 


4. On the General tab, click the Rating 
Systems button. 


“-| You can also install other 
rating systems, although 
RSACi and ICRA ratings 
are currently applied to 
more Web sites than any 
other systems. To learn 


about other systems, 
click Find Rating 
Systems on the General 
tab. 


5. Click Add, select Icra.rat, click 
Open, and then click OK in the 
Rating Systems dialog box. 


6. Click the Ratings tab, shown in 
Figure 8-5. 


“-Figure 8-5. Fach category in 
the ICRA rating system 
describes a particular type of 
content, which you can choose 
to accept or reject. 


The Ratings tab contains a list of 
rating systems and categories. The 
ICRA system has a large number of 
categories, and each one has two 
settings: allow the selected content 
type (slider moved to the right) or 
do not allow the content (slider 
moved to the left). The RSACi 
system has only four categories: 
language, nudity, sex, and violence. 
Each category has five levels, 
numbered O through 4. A higher 
number indicates more explicit or 
intense content. 


7. On the Ratings tab, select a 
category and then drag the slider to 
set the limits you want. As you 
move the slider, a description of the 
current setting appears below the 
Slider. Repeat this step for each 
category. 


8. Click OK. If you haven't already set 
up a Supervisor password, supply 
and confirm your supervisor 
password in the Create Supervisor 
Password dialog box. 


“The supervisor password is the 
master key that lets you change the Content 
Advisor settings or bypass the Content Advisor 
protections. Write this password down in a safe 
place so that if you forget it, you won’t be 
blocked from modifying or disabling Internet 
Explorer’s content restrictions. 


Recovering from a lost password 


If you forget your password, don’t 
panic. Use Registry Editor to open the 
HKLM\Software\Microsoft\Windows\Cu 
rrentVersion\Policies\ Ratings key. 
Then delete this key’s Key value. If 
you're concerned that your kids (or 
employees) might be savvy enough to 
make this registry fix themselves, use 
registry permissions to control access 
to that key. By default, only members 
of the Administrators group have 
permission to remove the key, so if 
your kids’ accounts are set up as 
limited users, your password is safe. 
For information about registry 
permissions, see Restricting Access to 
the Registry. 


Blocking Unrated Sites 


Not all Internet content is rated. By default, 
Content Advisor blocks pages that don’t have a 
rating because Content Advisor has no way of 
knowing what types of content are on such 
pages. Just as when you attempt to view a site 
with unacceptable ratings, when you attempt to 
view an unrated site, you'll see a dialog box 
similar to the one shown in Figure 8-6. 


“-Figure 8-6. Content Advisor blocks pages 
with ratings beyond the limits you set and 
pages that arent rated. 


If you don’t want this type of protection, you can 
change the default behavior. Open Internet 
Options, click the Content tab, and then click 
Settings. On the General tab of the Content 
Advisor dialog box, select Users Can See Sites 
That Have No Rating. 


Because so many sites are unrated—including 
both “good” sites and “bad” ones—Content 
Advisor lets you create your own ratings for 
particular sites. To set up a list of sites that you 
want to allow or disallow, regardless of their 
claimed content rating, click the Approved Sites 
tab in the Content Advisor dialog box. Type each 
site’s URL and then click Always or Never. You can 
add approved sites to this list on an ad hoc basis 
by selecting Always Allow This Web Site To Be 
Viewed when you encounter the dialog box shown 
in Figure 8-6. 


Turning Off Blocking 


If you change your mind about blocking offensive 
material, simply display the Internet Options 
dialog box, click the Content tab, click the Disable 
button, and then enter your supervisor password. 
Blocking is turned off until and unless you return 
and click the Enable button (which alternates 
with the Disable button). 


Using Third-Party Content Filters 


A number of programs from independent 
software vendors take a different approach to 
blocking objectionable content. Rather than 
relying on site operators to police themselves, 
publishers of content filtering programs maintain 
a list of offensive sites, offensive words and 
phrases, and other indicators. The filtering 
software prevents you from going to a listed site 
or to a page that contains listed content; some 
programs merely block out offensive words and 
pictures. With most such programs, you can 
override the restrictions by entering a password. 
(Although self-policing sounds a bit uncontrolled 
—and there are certainly plenty of slimeball Web 
site operators—Web publishers have little 
incentive to post inaccurate ratings. And the 
sleaziest sites are more likely to have no rating at 
all, so Content Advisor blocks them by default.) 


The problem with content-filtering programs is 
that the programs’ publishers—not you—define 
what is offensive. Some programs allow you to 
select which types of content you want to block, 
whereas others offer you almost no control. You 
might think your children shouldn’t view sites 
that promote gambling; the software publisher 
might think your children shouldn’t view sites 
that show violent behavior. Worse, you can’t 
modify most programs’ definitions of “offensive,” 
nor can you even find out exactly which sites are 
blocked and which words, phrases, and so on 
trigger blocking. Some programs are known to 
block sites that promote certain political views— 
again, beyond your control. 


Content filtering programs also tend to allow 
some sites to be viewed that should be blocked. 


This can occur, for example, because a new site 
isn’t yet on the blocked list or because a variant 
of an offensive word appears instead of the listed 
form of the word. 


Nonetheless, such programs are popular and are 
worth investigating if you’re concerned about 
offensive material appearing on your screen. 
Among the most popular are the following: 


e Cyber Patrol, from SurfControl, Inc. 
(http://www. cyberpatrol.com) 


e CYBERsitter, from Solid Oak 
Software, Inc. 
(http://www.cybersitter.com) 


e SuperScout Web Filter, from 
SurfControl, Inc. 
(http://www.surfcontrol.com/busin 
ess/products/superscout web/) 


Managing ActiveX Controls 


ActiveX controls are compiled components that can be used by multiple 
programs or Web sites. They can be written in any programming language that 
supports Microsoft’s Component Object Model (COM), and they’re implemented 
as .ocx or .dll files. Your system probably has dozens or hundreds of them 
because they’re used by the operating system and by applications that have 
nothing to do with the Internet—as well as by many Web sites. 


Unlike Java applets (discussed later in this chapter), ActiveX controls are native 
Windows programs capable of doing anything that other Windows programs 
can do, limited only by the permissions available to your user account. That is, 
unless you are using a severely restricted account, you should assume that any 
ActiveX control you download has full access to your file system, registry, and 
hardware. Once downloaded from the Internet and registered on your system, 
ActiveX controls can run automatically or be activated by code outside 
themselves, such as script embedded in a malevolent Web page. 


When the underlying technologies and security mechanisms for ActiveX were 
first being developed, some security experts expressed fears that virus writers 
and hackers would write their own ActiveX components, using the Web-based 
download-and-install mechanism to distribute malware. As it turns out, those 
fears have never been realized. Instead, most security exploits target 
vulnerabilities in ActiveX components that are widely distributed as part of 
Windows itself. For example, the Eyedog control, which is used by diagnostic 
software in Windows, was originally marked (mistakenly) as safe for scripting. 
Eyedog had another problem, in that it was susceptible to a buffer overrun 
attack. This combination of errors (both corrected in 1999 and therefore not an 
issue in Windows XP or Windows 2000) attracted the attackers who unleashed 
the BubbleBoy and Kak worms. Many of the more notorious security exploits 
have, in fact, involved the misuse by third parties of ActiveX controls that 
served perfectly well the functions for which they were originally designed. 


For a Microsoft-approved repository of articles, white papers, and 
presentations on ActiveX technology, see 

http://www. microsoft.com/com/tech/activex.asp. For a balanced 
discussion of ActiveX security risks, from a non-Microsoft 
perspective, see http://www.cert.org/reports/activex_report.pdf. 
You can also find a wealth of third-party commentary on security 
issues involving ActiveX by simply using your favorite search engine 
to look for “ActiveX Security.” 


To help you decide whether downloading an ActiveX control is an acceptable 
risk, Microsoft employs a digital signing technology it calls Authenticode. 
Control publishers sign their controls using digital certificates provided by 
certification authorities (CAs). Internet Explorer checks the validity of the 
certificate and decides how to handle the control. 


For more about signatures and certificates, see Chapter 4, 
“Installing_and Using Digital Certificates.” 


Note that a control’s signature attests only to its authenticity and integrity. It 
guarantees that the control you’re about to download (or not download, as you 
choose) comes from the party it says it comes from and that it has not been 
changed in any way since the time it was signed. The signature does not attest 
to the benevolence of the control or the competence of its creator. Assuming 
the signature is valid, you will probably base your decision to download on the 
reputation of the control's publisher. 


In the default security settings for the Internet zone (the broad category of 
Web sites that you have not elevated to higher-trust status or demoted to 
lower trust), Internet Explorer prompts you for permission to download a 
signed control and blocks any controls without a valid signature. You will see a 
dialog box comparable to the one shown in Figure 8-7. 


Figure 8-7. Internet Explorer typically prompts for permission to 
download an ActiveX control or Java applet. 


As you can see, the dialog box doesn’t tell you much about the component 
you're considering downloading. It doesn’t even tell you whether the 
component is an ActiveX control or a Java applet. It does provide the name of 
the component’s publisher, however, and by clicking the publisher’s name, you 
can see the certificate that was used to sign the component. (See Figure 8-8.) 


“Figure 8-8. Clicking the publisher's name lets you see the certificate 
that was used to sign the control. 


Unless you have explicitly given the browser permission to download unsigned 
controls (by changing one of the default security settings), you can be assured 
that the signature and certificate are valid. If for some reason you want to look 
at the certificate, however, the time to do so is before you accept the control. 
Internet Explorer does not download the certificate. (You can import it, 
however. After clicking the publisher’s name to display the certificate, click 
Install Certificate. Internet Explorer then installs the certificate and makes it 
visible on the Other People tab of the Certificates dialog box. For more 
information about the Certificates dialog box, see Using the Certificates Dialog 
Box.) 


After you have downloaded an ActiveX control, you can learn more about it as 
follows: 


1. Choose Tools, Internet Options. 


2. On the General tab of the Internet Options dialog box, click 
Settings. 


3. In the Settings dialog box, click View Objects. 


(Alternatively, use the Start menu’s Run command or the address bar in 
Windows Explorer to open the %SystemRoot%\Downloaded Program Files 
folder.) The Downloaded Program Files folder, shown in Figure 8-9, lists all 
ActiveX controls and Java applets downloaded by anyone at your computer. 


Although Internet Explorer’s security settings are, by default, 
specific for each user account, ActiveX controls and Java applets are 
registered only on a per-computer basis. If you share your 
computer with others who are less security conscious than you, be 
aware that controls and applets they accept are also available to 


your applications and the Web sites you visit. 


“Figure 8-9. The Downloaded Program Files folder lists all Activex 
controls and Java applets downloaded to the computer. 


Updating an ActiveX Control 


In Details view, the Downloaded Programs folder provides some useful 
information about each component. The Status column, for example, tells you 
whether a component has become damaged in some way, and the Creation 
Date column tells you the age of your components. If a component has become 
damaged for some reason or is starting to look a little gray around the 
temples, you can right-click it in the Downloaded Program Files folder and 
choose Update from the shortcut menu. Internet Explorer checks the original 
source of the component to see whether a newer version is available. If one is 
available, you'll see another confirmation prompt (assuming you’ve set Internet 
Explorer to prompt for download permission) and be given the chance to 
replace the old component with the newer version. 


While it might be tempting to select a control marked Damaged and 
press the Delete key, resist this temptation. Simply deleting a 
control, damaged or not, gets rid of the .ocx or .dll file but leaves 
the registry unchanged. The next time a Web site needs the 
component, it will assume the component still exists somewhere on 
your system but will be unable to find it. This could cause Internet 
Explorer to crash. To remove a control, right-click it in the 
Downloaded Program Files folder and choose Remove from the 
shortcut menu. 


Reading a Control's Properties 


Right-clicking a component and choosing Properties from the shortcut menu (or 
simply double-clicking it) reveals other useful information. (See Figure 8-10.) 
On the General tab, for example, the Type field tells you whether the 
component in question is an ActiveX control or a Java applet, and the 
CodeBase field tells you where the component came from. Internet Explorer 
uses the security zone to which the CodeBase URL is assigned to determine 
how to handle the control when an application or a Web page wants to use it. 
(Notice that the CodeBase URL might in some cases be different—and ina 
different security zone—from the site you were visiting when you initiated a 
download. In such a case, Internet Explorer applies whichever settings are 
more restrictive.) 


Figure 8-10. A downloaded component’s Properties dialog box provides 
useful information about the component's source and purpose, as well as 
the unique ID under which the component is registered. 


On the Version tab of the Properties dialog box, you can often find the name of 
the component’s publisher, as well as the version number. And the Dependency 
tab identifies the file or files used by the component. 


The Safe for Initialization and Safe for Scripting Flags 


ActiveX controls can be initialized with either local or remote data. If this data 
happens to come from an untrustworthy source, it’s possible that initialization 
of the control could cause a security breach. ActiveX controls also support a set 
of methods, properties, and events that are accessible to scripts. The ability of 
a rogue script to use an ActiveX control to do things it wasn’t intended to do— 
such as read, write, or delete files—represents another security hazard. 


As a way of dealing with these risks, publishers can sign their ActiveX controls 
as safe for initialization and/or safe for scripting. If a control is marked safe for 
initialization, the publisher asserts that the control will do no harm, regardless 
of how it’s initialized. If a control is marked safe for scripting, the publisher 
asserts that the control will do no harm, regardless of how its properties, 
events, and methods are used. 


Under the default security settings assigned to the Internet zone and Local 
Intranet zone, Internet Explorer blocks the initialization and scripting of 
controls not marked as safe for those actions, and it permits the scripting of 
controls marked safe for scripting. In the Trusted Sites zone, the browser 
prompts for permission to initialize or script controls not marked as safe, and in 
the Restricted Sites zone, initialization and scripting of all controls are blocked. 
You can customize these settings to suit your needs. For example, if you’re 
certain that controls obtained from sites on your local intranet are safe— 
whether or not they are so marked—you can remove Internet Explorer’s 
default restrictions or request a prompt for permission. 


The presence of the following registry key identifies a control as safe for 
scripting: 


HKCR\CLSID\GUID\Implemented Categories \ {7DD95801-9882-11CF-9Fi 


The presence of the following key indicates a control marked safe for 
initialization: 


HKCR\CLSID\GUID\Implemented Categories \ {7DD95802-9882-11CF-9Fi 


In both of these registry paths, GUID represents the control's globally unique 
identifier (GUID). Figure 8-11 shows these registry entries for the Microsoft 
Office Tools on the Web control, which is marked safe for both initialization and 
scripting. 


“Figure 8-11. The Microsoft Office Tools on the Web ActiveX control is 
marked safe for initialization and safe for scripting. 


Notice that the GUIDs that flag a control as safe for initialization or safe for 
scripting have no subkeys or values. Their presence or absence is all that 
matters. If, for any reason, you want to “demote” a control to not-marked-as- 
safe status, you can safely do so by deleting the appropriate GUID (not the 
control’s CLSID GUID, but the GUID that marks it safe for initialization or 
scripting). 


To locate the appropriate parent key for the safe-for-scripting or 
safe-for-initialization subkey, select the control’s GUID in its 
Properties dialog box (see Figure 8-10) and press Ctrl+C. Open 
Registry Editor, navigate to HKCR\CLSID, press Ctrl+F (the shortcut 
for Registry Editor’s Find command), press Ctrl+V, and then click 
Find Next. 


Deleting a Downloaded ActiveX Control 


If you decide you no longer need an ActiveX control that you downloaded from 
the Internet, open Add Or Remove Programs in Control Panel to see whether 
the control can be uninstalled there. (Some can and some cannot.) If you don’t 
find an entry for the control there, open the Downloaded Program Files folder 
(you can get to it from the Internet Options dialog box or by typing 
%systemroot% \downloaded program files in the Run dialog box or in the 
Windows Explorer address bar), right-click the control you want to remove, and 
choose Remove from the shortcut menu. 


Using either of these methods deletes the control and clears it from your 
registry. Do not simply delete the control from the Downloaded Program Files 
folder because this will leave your registry in a damaged state, potentially 
causing your browser to crash the next time a Web site comes looking for the 
deleted control. 


Permitting Only Administrator-Approved ActiveX Controls to 
Run 


One of the security settings that can be assigned to security zones in Internet 
Explorer allows you to restrict the use of ActiveX controls to an administrator- 
approved list. If you want to create a set of approved controls and restrict all 
users at your computer to that set, the best procedure is to use Microsoft’s 
Internet Explorer Administration Kit (IEAK), which you can download from 
http://www. microsoft.com/windows/ieak/default.asp. The IEAK creates a list of 
all controls already installed on your computer and lets you choose the ones 
you approve from that list. 


If you don’t want to use the IEAK, you can use Group Policy. At a command 
prompt, type gpedit.msc, and in Group Policy navigate to User 
Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Administrator Approved Controls. You'll find a list of controls there, 
nearly all of which are Microsoft's. To add one of these controls to the approved 
list, double-click it and select Enabled. After you have made your selections 
from this list of controls, you can add other controls to the approved list by 
means of a registry edit. 


Start by getting the CLSID of a control you want to add (display the control's 
Properties dialog box, select the CLSID, and press Ctrl+C to copy the GUID to 
the Clipboard). Then open Registry Editor and navigate to 
HKCU\Software\Policies\Microsoft\ Windows\CurrentVersion\Internet 
Settings\AllowedControls. 


Add a DWORD value for the CLSID that represents the control you want to 
approve, and set the data for that value to 0. (See Figure 8-12.) 


Figure 8-12. You can create an administrator-approved list of Activex 
controls by using the IEAK or Group Policy or by modifying this registry 
key. 


To limit Internet Explorer to the list of approved controls, configure the Run 
ActiveX Controls And Plug-ins security setting to Administrator Approved. (See 
Activex Security Settings.) This is a per-security-zone setting. 


Inactivating an ActiveX Control 


If you remove an ActiveX control—perhaps because you no longer need it or 
trust it—nothing prevents Internet Explorer from downloading the control again 
the next time you visit a site that wants to use the control. If you want to 
make sure that a control never runs on your system again, you need to make a 
small change to the registry. Start by copying the CLSID of the control to your 
Clipboard, as follows: 


1. Open the %SystemRoot%\Downloaded Program Files folder. 
2. Double-click the control you want to remove. 


3. On the General tab of the Properties dialog box, select the entire 
ID field (if it isn’t already selected) and press Ctrl+C. 


Now run Registry Editor and navigate to HKLM\Software\ Microsoft\ Internet 
Explorer\ActiveX Compatibility. With this key selected, do the following: 


1. Choose Edit, New, Key. 


2. Name the key by pressing Ctrl+V to paste the CLSID that you put 
on the Clipboard. (If the registry already has a key for the CLSID 
you paste, Registry Editor refuses to accept the new name and 
prompts you for a different one. Simply delete the unnamed new 
key, and navigate to the existing one.) 


3. With the control’s CLSID key selected, choose Edit, New, DWORD 
Value. 


4. Name the new DWORD value Compatibility Flags. 
5. Double-click the Compatibility Flags value. 


6. In the Edit DWORD Value dialog box, shown below, enter the 
hexadecimal value 400 (or click the Decimal option button and 
enter 1024). 


With the Compatibility Flags value set to 0x00000400, your ActiveX control 
becomes inactive—permanently. Windows will not run the control, no matter 
who calls it and no matter whether it’s updated or downloaded again. To 
resurrect the control, you need to remove the Compatibility Flags value that 
you just created. 


If you explore HKLM\Software\Microsoft\Internet Explorer\Activex 
Compatibility, you may find one or more CLSID entries that have 
Compatibility Flags values set to 400. Don’t mess with these—or, for 
that matter, with any of the other Compatibility Flags values. 
Microsoft has used this “kill bit” in the past to terminate 
troublesome ActiveX controls. It would be unwise to dig up a bad 
apple that has been successfully buried. 


Managing Java Applets 


A Java applet is a component written in Java, a 
cross-platform programming language created by 
Sun Microsystems. Unlike ActiveX controls, Java 
applets are not compiled to native Windows code. 
Rather, they run within a “virtual machine” (VM) 
—a software environment that emulates a 
hypothetical “native” Java computer. Java- 
enabled Web browsers, such as Internet Explorer, 
provide such a virtual machine. (The Microsoft 
VM is not included on the Windows XP distribution 
media but may be pre-installed by computer 
vendors. If your system lacks a Java VM, the 
Windows Update site offers to download 
Microsoft’s VM for you. Internet Explorer also 
offers to download and install it for you, if 
necessary, the first time you visit a site that 
requires it.) 


Downloaded Java applets, like downloaded 
ActiveX controls, are listed in your 
%SystemRoot%Downloaded Program Files folder. 
You can view their properties, update them, and 
remove them by right-clicking entries in that 
folder. 


Unlike ActiveX controls, Java applets normally do 
not have unrestricted access to your computer’s 
resources. Java technology originally limited 
applets to running in a restricted area of memory 
called the “sandbox,” where they were allowed to 
do only the following: 


e Access threads in the current 
execution context 


e Open network connections to the 
applet host so that the applet could 


download additional files if 
necessary 


Create a pop-up window with a 
banner warning users that the 
window was created from an applet 


e Access reflection application 
programming interfaces (APIs) for 
classes from the same loader 


e Read base system properties, such 
as processor type, Java version 
number and VM vendor, and 
operating system 


The sandbox restrictions provided a high degree 
of security at the expense of capability. To allow 
applets to carry out a wider range of functions, 
the Microsoft VM now employs a system of 
permission signing. In addition to authenticating 
an applet, a developer’s signature can specify a 
specific set of permissions required by the applet. 
The VM compares the permissions requested by 
the applet with the security settings that you 
have specified for the applet’s security zone and 
determines whether to allow the applet to run, 
block the applet, or prompt you for permission. 
For more details, see Java Security Settings. 


Managing Scripts 


A script is a program either embedded in a Web 
page or called by a <script> tag in a Web page’s 
HTML. Scripts are written in scripting languages, 
which are interpreted line by line at run time. 
Internet Explorer supports two such languages, 
VBScript and JScript. VBScript is a scripting 
version of Microsoft’s Visual Basic programming 
language. JScript is Microsoft’s functional 
equivalent of Sun Microsystems’s JavaScript (a 
scripting language that should not be confused 
with Java). 


Scripts can also be saved as stand-alone files 
(the extensions are .vbs for VBScript files and .js 
for JScript or JavaScript files) and executed 
outside the context of Internet Explorer by means 
of the Windows Scripting Host (WSH). 
Downloaded to users’ systems by way of e-mail 
attachments, scripts have a disreputable history, 
having served as the basis for several notorious 
mail-borne viruses. To avoid infection by script- 
based e-mail viruses, it’s smart to use an 
antivirus program that blocks dangerous e-mail 
attachments (as well as blocking the execution of 
script embedded in messages’ HTML). For details, 
see Protecting Yourself from Hazardous 
Attachments. 


Malicious scripts have also been used to extract 
data from other domains and send that 
information back to their own Web sites. The 
potential for cross-domain privacy breaches of 
this kind was first described thoroughly in 
February 2000 by the CERT Coordination Center 
at Carnegie Mellon University’s Software 
Engineering Institute. That report is still posted at 


http://www. cert. org/advisories/CA-2000-02.html. 
Microsoft has made changes to Internet Explorer 
to deal with such hazards, but as recently as 
February 2002, two years after the CERT 
publication, Microsoft reported a flaw in VBScript 
that permitted unauthorized cross-domain data 
access. (See Microsoft Security Bulletin MSO2- 
009.) 


The CERT document and others recommend that 
you defend yourself against cross-site scripting 
exploits by disabling scripting in your browser. We 
think that’s too drastic a solution for most users 
because most sites that use scripts do so for 
entirely benign and useful purposes. We do 
recommend staying current with Microsoft's 
security bulletins and Internet Explorer patches, 
however. 


If you’re still concerned about scripting exploits, 
you might consider configuring your Internet 
zone to prompt when a site wants to execute a 
script. You could then decide on a site-by-site 
basis whose scripts you want to allow, moving 
the sites you judge to be safe into a custom 
“script-safe” Internet security zone whose 
security settings matched those of the Internet 
zone except that scripting would be fully enabled. 


Internet Explorer includes a number of security 
settings that affect scripting. For information, see 
about creating a custom security zone, see 
Creating_a Custom Security Zone. 


As an alternative to creating a script-safe security 
zone, you can use a program like Jason Levine's 
Script Sentry (http://www. jasons- 
toolbox.com/scriptsentry.asp). You configure the 
program to allow certain scripts to run; Script 
Sentry allows the designated scripts to run 


without interruption but displays an alert 
whenever another script attempts to run. 


Chapter 9 


Stopping Viruses, Worms, and 
Trojan Horses 


It’s not your imagination. Computer viruses are 
becoming more prevalent, more virulent, and 
downright sneakier each year. Historians 
generally agree that the first computer virus 
appeared “in the wild” in 1981, many years 
before the release of Microsoft Windows. That 
first virus, disguised as a computer game, 
attacked the most popular computer of its day, 
the Apple II. It spread at a snail's pace, carried 
from one computer to another by infected floppy 
disks. 


More than two decades later, the spread of 
computer viruses and other forms of malicious 
software has perversely mirrored the incredible 
revolution in legitimate software during the same 
period. Some experts estimate that ma/ware (the 
broad term for all sorts of malicious software) 
grows by more than 15 percent a year. According 
to Sophos, a developer of antivirus software, 
more than 30 new viruses appear every day, and 
the roster of active viruses increases by more 
than 10,000 per year. 


Most of these viruses die a natural death almost 
instantly, but a handful reach critical mass each 
year—and when that happens, look out! Thanks 
to the Internet, e-mail, and the incredible 
popularity of Windows as a host, virus outbreaks 
can race around the world at breathtaking speed. 
In May 2000, for instance, the infamous 
LoveLetter worm (also known as ILOVEYOU or, to 
antivirus specialists, VBS.LoveLetter.A) infected 
millions of computers and shut down e-mail 
servers worldwide. Researchers eventually 


determined that this particularly nasty bug was 
launched from the Philippines and spread across 
Asia, Europe, and the United States in a matter 
of hours. 


In 2002, the experts at ICSA Labs surveyed 300 
businesses and government agencies and 
discovered that 28 percent of them had 
experienced a virus “disaster”—an infection that 
struck more than 25 computers in an 
organization—during the previous year. Individual 
users and small businesses, who don’t have the 
luxury of full-time support staffs and dedicated 
firewalls, are even more vulnerable. If a piece of 
hostile software slips through your defenses and 
infects your computer or your network, you'll 
understand why they call it a disaster. Cleaning 
up the mess can be expensive and time- 
consuming, and there’s no guarantee you'll be 
able to recover all your data. 


In this chapter, we discuss the complete 
spectrum of hostile software, often referred to as 
malicious code, or malware. We explain how 
viruses, worms, and Trojan horses attack your 
computer; how you can identify suspicious 
software and prevent infections; and how to 
clean up after an infection. We also offer practical 
advice on how to choose an antivirus software 
package that’s right for you. 


Security Checklist: Viruses, 
Worms, and Trojan Horses 


Don’t let a virus or worm take over 
your computer or network. Use this 
checklist to ensure that you're 
protected at all times. Some items in 
this list might be inappropriate for 
your computer or network 


configuration; read the information in 
this chapter carefully before 
proceeding. 


e Train all users of your 
computer and network 
in safe computing 
procedures. 


Install antivirus software 
on every desktop 
computer. 


Install a personal 
firewall on every desktop 
computer. 


Configure your e-mail 
software to block or 
quarantine potentially 
dangerous attachments. 


e If you have a network 
server, install antivirus 
software at the gateway. 


e Configure your antivirus 
software for regular 
updates, at least weekly. 


e Bookmark authoritative 
sources of information 
about viruses and virus 
hoaxes. 


e Institute a regular 
backup program. 


e Develop a recovery plan 
that you can implement 


in the event of a virus 
infection. 


How Malicious Software Attacks Your Computer 


Every year, antivirus software gets a little smarter. Unfortunately, the authors 
of malicious software programs are clever and persistent, too. The result is a 
constant struggle between legitimate software developers and the online 
vandals and criminals who write hostile software, with Windows users literally 
caught in the middle. Although viruses get a disproportionate share of the 
headlines, malware can actually take any of several forms. Before we explain 
how they work, it’s important to understand the types of threats you're likely 
to encounter: 


e A virus is a piece of code that replicates by attaching itself to 
another object, usually without the user’s knowledge or 
permission. Viruses can infect program files, documents (in the 
form of macro viruses), or low-level disk and file-system 
structures such as the boot sector and partition table. Viruses 
can run when an infected program file runs; they can also reside 
in memory and infect files as the user opens, Saves, or creates 
the files. When a computer virus infects a computer running 
Windows, it can change values in the registry, replace system 
files, and take over e-mail programs in its attempt to replicate 
itself (at which point it becomes a worm). A virus needn’t be a 
self-contained program, nor is it necessarily destructive, although 
some are. 


The plural of virus is viruses. Some misguided writers, 
in an attempt to sound educated, insist that the 
correct term is virii. They're wrong, as a visit to a 
definitive reference book (such as the Oxford English 
Dictionary) or any first-term Latin primer will confirm. 
(And even if these writers were on the right track, virii 
would be the plural of virius, which isn’t a word in any 
of our dictionaries.) If you ever need to settle a bet 
with someone who insists that the word virii exists, 
point them to this Web site, which contains a thorough 
and witty dissertation on the topic: 

http://www. perl.com/language/misc/virus.html. 


e Worms are independent programs that replicate by copying 
themselves from one computer to another, usually over a 
network or through e-mail attachments. The most virulent 
outbreaks of hostile software in recent years have originated with 
worms. Many of these threats also contain hostile code designed 
to destroy data files or to launch denial-of-service attacks against 
other computers. The distinction between worms and viruses can 
be blurry, even to security experts. 


e Trojan horses are programs that run without the victim’s 
knowledge or consent; although they can be harmless, most 
Trojan horse programs in circulation today perform functions that 
compromise the security of the computer by exploiting the user’s 
access rights and privileges. A Trojan horse program might arrive 
as an e-mail attachment or a download from a Web site, usually 
disguised as a joke program or a software utility of some sort. 
Attackers typically rely on basic “social engineering” techniques 
to dupe unwitting victims into installing the software. For 
instance, an attacker might contact a potential victim using 
Internet Relay Chat (IRC) with a warning that a particularly nasty 


virus is going around, and then provide a link to a Trojan horse 
program that masquerades as a virus cleanup utility! 


e Blended threats represent a new class of sophisticated and 
malicious software that combines the characteristics of viruses, 
worms, and Trojan horses to create especially potent attacks. 
Unlike garden-variety viruses, which typically spread by hijacking 
e-mail address books on computers running Windows, blended 
threats often target Web servers and networks, which enable the 
malicious code to spread rapidly and cause extensive damage. 


A Glossary of Malware 


Web sites and mailing lists run by the makers of antivirus software 
are essential resources for tracking down details about viruses and 
their behavior. If you have to clean up an infected system, you can 
often find step-by-step instructions and downloadable utilities to 
assist in the process. Decoding the language of antivirus software 
and solutions isn’t always easy, however. Here are definitions of 
some terms your're likely to encounter: 


Disinfect. To remove a virus from memory and to remove all 
installed components of the virus. Completely disinfecting a system 
that has been infected by a virus can require manual steps in 
addition to the automated procedures performed by an antivirus 
program. 


Dropper. The component of a virus that installs (or “drops”) the 
virus code itself on a computer system, usually as a file. 


File virus. A class of virus consisting of hostile code that can attach 
itself to program files; also known as a file infector. File viruses can 
infect programs with the .exe and .com file name extensions; they 
can also attack lesser-known types of executable files, such as 
those with the extensions .sys, .ovl, or .drv. File viruses often 
remain in memory after they run, continuing to infect any program 
that the user of the infected computer subsequently launches. 


Heuristic analysis. A technique used by some antivirus software to 
identify a possible virus based on its behavior rather than on a virus 
signature. In theory, this type of scan can stop a new virus even 
before the antivirus software developer has updated the program’s 
signature files; however, heuristic scans can also turn up false 
positives when a trusted program behaves in a way that resembles 
the behavior of a virus. 


In the wild. A phrase used to describe a virus that is actively 
spreading among computer users and is not restricted to a 
laboratory environment. 


Macro virus. A program or fragment of code written in the internal 
macro programming language of an application (such as Microsoft 
Word or Microsoft Excel) and stored in a document file. If security 
settings in the program allow the macro virus to run when the 
document is opened, the virus can cause damage and replicate to 
other documents. 


Payload. The destructive portion of a virus. Depending on the 
malicious intent and skill of the virus writer, the code in the payload 
can destroy or corrupt data files, wipe out installed programs, or 
damage the operating system itself. 


Polymorphic virus. A virus that has the ability to change its byte 
pattern when it replicates; also Known as a mutating virus. A virus 
writer can also incorporate encryption routines that cause the virus 
to look completely different on different computers or even within 
various infected files on the same computer. This characteristic 
allows the virus to avoid detection by antivirus scanners that look 
for specific strings of text in specific locations. 


Scanning. The process of searching memory and saved files for 
viruses. Using antivirus software, you can scan one or more files (or 
an entire disk) manually. Most antivirus programs also include an 
active, or real-time, scanning feature, which inspects files and e- 
mail attachments as they’re accessed, to detect and block viruses 
before the user can inadvertently execute the infected file. 


Virus signatures. The tell-tale signs that identify the content and 
behavior of specific viruses, worms, and Trojan horse programs; 
also known as patterns or definitions. All makers of antivirus 
software use signatures to detect viruses, and they update their 
virus definition files regularly in response to newly discovered 
strains. Without an up-to-date definition file, antivirus software is 
ineffective at best and potentially dangerous because of the false 
sense of confidence it engenders. 


Some malware attempts to enter your system brazenly, in the form of an 
executable program that disguises its true purpose. W32.Gibe@mm, for 
instance, is a mass-mailing worm that first appeared in 2002; it arrives as an 
attachment claiming to be a Microsoft security update called Q216309.exe. 
(Note the similarity to Microsoft Knowledge Base numbers used to identify 
legitimate security updates.) Other executable files might offer to install a 
screen saver or display an animated cartoon. An intended victim who runs the 
executable file might see a series of dialog boxes intended to lull the user into 
believing that the program ran as intended. In the background, of course, the 
virus code is installing itself without the victim’s knowledge. The 
W32.Gibe@mm virus displays the dialog box shown here, which probably looks 
legitimate to an unsophisticated user: 


“If the victim clicks the Yes button, the worm displays a progress dialog box 
that also looks authentic, followed by this message box: 


“| What’s In a (Virus) Name 

When a new virus, worm, or Trojan horse appears, every maker of 
antivirus software rushes to identify it, determine its behavior and 
mode of transmission, and develop a fix that can block it. As part of 
the process, they have to give the virus a name. But problems can 
arise when different software developers call the same virus by 
different names. To help bring order out of this chaos, an invitation- 
only group called the Computer Anti-Virus Researchers Organization 
(CARO) has developed a naming convention for viruses. Today, most 
firms that specialize in antivirus software adhere to these general 
guidelines, although some tack on prefixes and suffixes that are 
unique to their products. Although reports in the mainstream press 
often refer to a virus or worm by its popular name (SirCam, Gibe, or 
Goner, for instance), technical information is typically organized 
using the standardized names (W32.Sircam, I-Worm.Gibe, 
W32/GonerA@mm). 


A virus name consists of the following elements: 


A prefix that identifies the virus type. Most viruses 

that attack computers running Windows use the W32 
(32-bit Windows virus), I-Worm (Internet Worm), JS 
(JavaScript), or VBS (Visual Basic Script virus) prefix. 


e A family name. This name is usually drawn from the 
virus code itself. 


e Major variant. If this suffix is present, it’s in the form 
of a number that identifies the file size of the virus. 
Most antivirus software firms omit this element. 


e Minor variant. This suffix is usually a letter that 
distinguishes alternative versions of a single virus that 
are in circulation. 


In addition, some names now use the suffixes @m and @mm to 
identify viruses that spread by e-mail or by mass mailers, 
respectively. 


Other hostile programs attempt to disguise the fact that they are executable 
attachments by masquerading as innocent data files. The most common 
technique for virus writers who use this sort of attack is to give the attachment 
two file name extensions—the notorious LoveLetter worm, for instance, spread 
by means of an attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. 


The final extension is the one that actually associates files of that type with a 
program; in the case of the LoveLetter worm, the .vbs extension fires up the 
Windows Script Host and runs the payload of the virus—a destructive script 
that deletes a slew of data files and replaces other files with copies of the virus. 
Because many versions of Windows hide file name extensions by default, the 
would-be attacker is counting on the victim to believe that the file is a 
harmless text document named LOVE-LETTER-FOR-YOU. TXT. 


Upgrade your e-mail program for best protection 


Recent versions of Microsoft Outlook and Microsoft Outlook Express 
offer multiple layers of protection from viruses that use the “two file 
name extensions” trick. Regardless of the settings in Windows 
Explorer, attachments received by Outlook Express versions 5 and 6 
always show the full name of the file, including multiple extensions. 
The same is true of Outlook 2000 and Outlook 2002. Even if a virus 
using this technique slips undetected past installed antivirus 
software, an alert user of any of these e-mail programs should have 
no problem spotting the potentially dangerous attachment before 
executing or saving it. To avoid being fooled by hidden file name 
extensions in saved files, follow the procedures outlined in Blocking 
Dangerous Attachments. 


The most dangerous forms of hostile software try to enter your computer 
system through the back door, without requiring any action by the user. Viruses 
in this category work by exploiting vulnerabilities in scripting engines, in 
ActiveX controls, in Java applets, and in the code that renders Hypertext 
Markup Language, or HTML (buffer overflows, for example). 


For more details about how buffer overflows and other HTML 
exploits work, see How Hack Attacks Work. 


Attachment-Borne Viruses 


By far the most common source of widespread computer virus outbreaks is the 
class of hostile software that replicates by sending itself to other potential 
victims as an attachment to an e-mail message. Although each such virus is 
different (some, in fact, are as complex as many commercial programs), 
attacks of this type have certain common features. 


The accompanying message often uses “social engineering” techniques 
designed to lure inattentive or gullible users into opening the infected 
attachment. One common ruse is to try to convince the recipient that the 
attachment is a salacious picture. One widely publicized virus in 2001, 
VBS.SST@mm, claimed to contain a picture of tennis star Anna Kournikova. 
The MyParty virus (W32.Myparty@mm) arrived in an e-mail message with the 
subject “new photos from my party!” and a message that read in part, “I have 
attached my web page with new photos!” 


Beware the .com extension 


The author of the MyParty virus, which first appeared in January 
2002, exploited a technological quirk that in turn exploits the widely 
used .com extension. Today, the “dot-com” suffix is known to 
millions of Internet users as the most popular ending for domain 
names of commercial enterprises. But anyone who ever used a 
personal computer running MS-DOS remembers that .com is also a 
perfectly legal file name extension for an executable program. 
Although modern Windows-based programs rarely use the .com 
extension, all versions of Windows can still execute programs whose 
names end in that extension. The attachment that the MyParty virus 
mass-mails is named www.myparty.yahoo.com. Although it looks 
like a harmless link to an enormously popular Web site, this 
attachment actually installs a Trojan horse program on computers 
running Windows 2000 and Windows XP. If someone sends you an 
attachment with a .com file name extension, don’t open it unless 
you're absolutely certain it’s a legitimate program! 


Although most attachment-borne viruses arrive with displays written in English, 
a disproportionate number originate from outside the United States. Because 
the authors of such viruses are typically not native English speakers, the 
accompanying messages frequently contain grammatical errors, awkward 
syntax, and misspellings, such as those shown here. These characteristics can 
be important clues when you’re trying to decide whether a suspicious message 
is a virus, especially if the message was sent from an infected computer 
belonging to someone who normally writes in fluent English. 


*Early versions of mass-mailing worms and viruses took over existing e-mail 
client programs, such as Outlook Express and Outlook. The infamous Melissa 
macro virus (W97M.Melissa.A), for instance, infected a Word document with its 
macro virus and then hijacked Outlook 97 to send 50 copies of the infected 
document to addresses found in the victim’s Outlook Contacts folder. More 
modern mass-mailing viruses often contain their own mail transport agent, 
allowing them to circumvent security controls on the installed e-mail client 
software. These hostile programs can harvest e-mail addresses from a variety 
of locations, including Outlook’s Contacts folder and the Windows Address Book 
used by Outlook Express, and can even look for mailto: links in Web pages 
saved in the browser cache on the infected computer. 


Some viruses actively try to remove or disable antivirus programs and firewall 
software, with varying degrees of success. Of course, for this tactic to succeed, 


the virus or worm must first slip undetected past the protective software, 
which raises the question of how effective that particular software was in the 
first place or whether the user missed a crucial update. 


Avoid administrator accounts 


In Chapter 2, “Windows Security Tools and Techniques,” we explain 
why some security experts recommend that you log on for everyday 
computing tasks using an account that is not a member of the 
Administrators group. This precaution can pay a tremendous 
dividend if you inadvertently execute a piece of hostile software 
such as a virus or a Trojan horse. The rogue program runs using the 
same privileges assigned to your logged-on account. By deliberately 
restricting your administrative rights, you might be able to prevent 
the unwanted code from tampering with the Windows registry or 
replacing crucial system files. 


Needless to say, the typical virus author doesn’t usually have formal training 
and certainly doesn’t invest in comprehensive testing and quality-control 
programs, as legitimate software developers do. As a result, viruses that arrive 
via e-mail are often riddled with bugs and programming mistakes that prevent 
them from carrying out all their intended functions. Ironically, those flaws can 
be a blessing in disguise for anyone victimized by a virus. 


Attacks from the Web 


Although viruses that spread via e-mail attachments have been to blame for 
the majority of attacks in recent years, some security experts believe that 
other modes of transmission represent a far greater threat and will become 
more prevalent in the future. By their nature, attachments require some 
cooperation from an unwitting or distracted user; that requirement dramatically 
limits their potential to spread unchecked. As a result, authors of hostile 
software are always on the lookout for techniques they can use to spread 
infections automatically. 


One popular mechanism is the use of scripts, written in languages such as 
JavaScript, Jscript, or VBScript (the popular name for Microsoft Visual Basic 
Scripting Edition), that automatically take actions on the intended victim's 
computer when he or she visits a Web page or views an HTML-formatted e-mail 
message. The Kak worm (VBS.Kak.Worm), which made its debut in December 
1999, takes advantage of a weakness in older versions of Outlook and Outlook 
Express to place the virus on a system automatically. Then, simply viewing the 
infected message on a vulnerable computer is enough to trigger the virus. This 
particular exploit does not affect Windows 2000 or Windows XP, but it does 
illustrate the general problem of script-based attacks. 


Install patches when they’re released 


The history of the Kak worm offers a great illustration of why it pays 
to install security updates and operating system patches promptly. 
The vulnerability that made the Kak worm possible was documented 
in Microsoft Security Bulletin MS99-032, which also included a patch 
that plugged this security hole. Anyone who installed this patch 
when it was released was protected from this worm, which executed 
automatically on unpatched computers; the rapid and extensive 
spread of the Kak worm is a depressing indicator of how difficult it is 
to convince most Windows users of the need to be alert for security 
updates. 


ActiveX and Java components are executable programs that can be 
downloaded and installed from the Web, expanding the capabilities of Microsoft 
Internet Explorer. The architectures of both ActiveX and the Java Virtual 
Machine include elaborate security precautions intended to eliminate the 
possibility of a hostile program installing itself without your permission. Those 
barriers, however, do not stop some would-be vandals from trying to sidestep 
the built-in security. One widely used technique, available in several variations, 
is known as JS.Exception.Exploit. Each of the hostile programs exploiting this 
vulnerability uses JavaScript and a documented security hole in some versions 
of the Microsoft virtual machine to run code on your computer without your 
permission. Operators of pornographic Web sites are notorious for embedding 
this code on their home pages; an unsuspecting visitor using a vulnerable 
computer will find his or her home page changed automatically, and the only 
way to undo the change is to remove the hostile code. An Internet Explorer 
patch released in October 2000 fixed this vulnerability, but similar 
vulnerabilities could well crop up in the future. 


Don’t click that link! 


Most spam is relatively harmless junk mail, but a small number of 
unsolicited messages sent via Internet e-mail contain links to sites 
that contain viruses or Trojan horse programs. Clicking one of these 
links can open a browser window that invites the user to install a 
hostile program; if the page is able to successfully exploit an 


unpatched vulnerability, the damage could even occur without any 
action by the user. To avoid this sort of attack, try to filter out as 
much spam as possible before it reaches your inbox, and emphasize 
to every user of every computer on your network that they should 
never, ever click a Web link in a spam message, no matter how 
tempting. 


Attackers also take advantage of newly discovered vulnerabilities in the HTML- 
based rendering engine of all versions of Windows. Buffer overruns, for 
instance, can be used to overwhelm ordinary defenses and allow a hostile 
program to run. An unsuspecting user can encounter this sort of attack by 
visiting a Web page or receiving an HTML-formatted e-mail message that 
includes the exploit code. You have a wide variety of options for preventing 
Web-based attacks, including the capability to completely disable all scripts and 
active content such as Java applets and ActiveX controls. 


For more details about increasing the security of Internet Explorer, 
see Chapter 8, “Making_Internet Explorer Safer.” 


Trojan Horse Programs 


The tale of the Trojan horse is one of the most enduring in Greek mythology. A 
giant wooden horse was left outside the gates of Troy by the apparently 
defeated Greeks after a decade-long war. The Trojans hauled the “gift” inside 
their gates and celebrated. The horse, of course, concealed a small army of 
Greek soldiers; they emerged after dark, opened the gates for their waiting 
comrades, and led the Greek army to a decisive victory. 


Trojan horse programs follow the same principles of guile, concealment, and 
hostile infiltration, with your computer as the target. Typically, a remote 
attacker lures a victim into installing the Trojan horse program by concealing 
the hostile code within a “wrapper” that appears to be benign. The program 
might masquerade as a game or a Screen Saver, as a patch to Windows or 
Internet Explorer, or as a utility for downloading or viewing media files. As part 
of its installation routine, the Trojan horse program might actually install a 
harmless program, or it might pretend to fail, displaying an error message to 
the user. In either event, the dirty work is actually happening in the 
background, as the program installs its executable files, alters entries in the 
Windows registry, and makes other system modifications. 


Trojan horse programs are not unique to Windows. Over the past two decades, 
security experts have discovered hundreds of these programs in the wild, 
infecting computers running MS-DOS, Unix, Linux, Mac OS, OS/2, Palm OS, 
and every version of Windows. Once installed, a Trojan horse program can do 
anything that the user who installed it can do, including changing or deleting 
files, installing other programs, and transmitting information to a remote 
location. After successfully convincing a victim to install a Trojan horse program 
that lets them take over the remote computer, some attackers are content to 
use their remote connection to play pranks on the victim, but the potential for 
damage from a truly malevolent attacker is chilling: 


e The attacker can delete files, including data files and crucial 
system files. 


The intruder can steal data, including credit card numbers, 
passwords, and sensitive business files. The mode of theft can 
include copying files, logging keystrokes, or capturing the 
contents of screens. 


e Using the infected system, the attacker can try to gain access to 
other computers on the victim’s local network or on the Internet. 
Using a group of infected computers as “zombies,” the attacker 
can control them remotely and launch distributed denial-of- 
service attacks against Web servers, flooding the target server 
with massive amounts of data and effectively locking out 
legitimate traffic. 


By exploiting other vulnerabilities in the operating system or 
installed applications, an attacker might be able to launch an 
“escalation of privilege” attack, which can increase the level of 
access beyond the level normally available to the user who 
installed the program in the first place. A successful attack of this 
sort can give the attacker the privileges of a system service or a 
network administrator. 


Some of the most widespread viruses and worms of recent years include a 
Trojan horse component in their payload. The Gibe worm, for instance, includes 
a backdoor component, Gfxacc.exe, that installs itself in the %WinDir% folder 


and modifies the Windows registry so that the backdoor component 
automatically runs at startup. 


A computer infected with a Trojan horse program often acts as a network 
server, accepting inbound connections on a specific port number. The Gibe 
backdoor, for instance, listens for connections on TCP port 12378. Attackers 
who run port-scanning software can detect the open port, surreptitiously 
connect to the Trojan horse server, and take control of the infected computer, 
all without the victim’s knowledge. 


For more details about how TCP and UDP ports work and how to 
block unwanted connections, see How Ports and Protocols Allow 
Access to Your Computer. 


Other Attacks 


Viruses and other hostile software can sneak onto a computer through several 
avenues besides e-mail attachments and the Web. One increasingly popular 
mode of transmission for malware is via shared network drives. The notorious 
Nimda worm, for instance, searches for open network shares, attempts to copy 
itself to any shared drives it finds, and then executes, creating new network 
shares on the infected computer that allow full control by the Everyone group. 
The worm also creates a Guest account and adds it to the Administrators 
group. 


Viruses that spread over a network are insidious. A single infected computer 
can infect dozens or hundreds of other computers, and an administrator can 
have a difficult and frustrating time tracking down the source of the infection. 
Even with effective attachment-blocking software on e-mail servers and 
properly configured firewalls, a network is vulnerable to this sort of attack if a 
user brings an infected notebook computer into the office and successfully 
connects to the network. 


A clever virus author can also craft hostile code that spreads via instant 
messaging clients, such as MSN Messenger, Windows Messenger, AOL Instant 
Messenger, and Yahoo!*s Messenger. Several viruses that spread automatically 
via MSN Messenger and Windows Messenger have already been discovered in 
the wild. A worm that targeted AOL Instant Messenger has been demonstrated, 
although AOL patched the vulnerability that made the worm possible before 
attackers could take advantage of it. AOL's venerable ICQ program and 
variations of standard Internet Relay Chat (IRC) clients are also theoretically 
vulnerable to this sort of worm, although you are far more likely to be targeted 
by another user trying to plant a Trojan horse program than by a self- 
propagating worm. 


Finally, file-sharing programs that work over the Internet (also known as peer- 
to-peer file-sharing software, or p2p) can also serve as vectors for viral 
infections. Napster, which allowed users to freely exchange music files in the 
MP3 format, was the first and best known of this class of software. But newer 
offerings such as Morpheus and KaZaA offer the capability to share files of any 
sort, including types of files that can be infected with a virus or a Trojan horse 
program. 


Don’t Fall for Virus Hoaxes 


The Internet is a fertile breeding ground for hoaxes, rumors, and 
misinformation. That’s especially true when the topic is computer 
viruses. Well-meaning but misguided computer users routinely 
forward hysterical virus alerts via e-mail. Most of the time, these 
alerts are bogus. Some, in fact, have been around for nearly a 
decade. 


Virus hoaxes typically have unmistakable common characteristics. 
Most often, the message is a forwarded copy that cannot be traced 
back to an authoritative source, although the message might 
vaguely attribute the alert to Microsoft, McAfee, IBM, or another 
legitimate-sounding source. It’s usually filled with breathless details 
of the dire fate that will surely befall anyone who is attacked by this 
particular virus. And, inevitably, the anonymous author urges 
recipients to forward the message to everyone they know. One of 
the earliest virus hoaxes warned recipients to beware of an 
incoming message with the subject “Good Times”: 


There is a virus on America Online being sent by H-Mail. 
anything called "Good Times", DON'T read it or download i 
virus that will erase your hard drive. Forward this to al 
It may help them a lot. 


Most virus hoaxes are started by pranksters and passed on by 
gullible users who don’t know any better. For the most part, these 
uninformed and erroneous messages are simply annoying, and their 
only deleterious side effect is the time and energy you expend 
deleting the message and, perhaps, responding to the sender so 
that he or she doesn’t get sucked in by another hoax. Occasionally, 
though, a virus hoax includes bad advice, as was the case in the 
infamous Suflnbk.exe hoax of 2001, which convinced an untold 
number of Windows 98 users to delete a perfectly legitimate system 
file that the hoax message misidentified as a destructive virus. 


Hoaxes and hysterical warnings routinely reappear on the Internet. 
Occasionally, some enterprising soul revives an old warning, 
changing the dates and other details of a reputed virus and 
launching a fresh hoax into the world. If you receive a virus alert via 
e-mail, you can quickly determine whether it’s a hoax by visiting the 
Web site of any leading antivirus software maker; these three sites, 
for instance, have pages dedicated to virus hoaxes: 


e Symantec Hoax Alerts: 


http://www.symantec.com/avcenter/hoax.html 


e F-Secure Hoax Warnings: 


http://www. europe. datafellows.com/virus-info/hoax/ 


e McAfee.com Virus Hoax Listings: 


http://vil.mcafee.com/hoax.asp 


In addition, you can find excellent collections of resources for 
debunking all sorts of Internet hoaxes, including chain letters and 
phony or exaggerated virus warnings, at these sites: 


e ICSA Labs Anti-Virus Hoaxes: 
http://www. icsalabs.com/html/communities/antivirus/ 


hoaxes.shtml 


e Rob Rosenberger’s Vmyths.com: 
http://www.vmyths.com 


Under rare circumstances, you can and should warn others about a 
virus currently making the rounds. Keep the distribution list small, 
and stick to the facts that your recipients need to know: the name 
of the virus, for instance, and a suggestion that they update the 
signatures for their antivirus software. Be sure to include a link to 
more detailed information about the specific virus, preferably from 
the Web site of an antivirus software vendor, so that technically 
minded readers can get the most recent information. 


Identifying Malicious Software 


How do you know when your computer has been 
invaded by hostile software? The worst way to 
find out is to receive a frantic message from a 
friend or business associate complaining that 
they've just received an e-mail message with an 
infected attachment from your computer. In the 
case of a Trojan horse program or a virus that 
disguises its source, however, you might not have 
such a clear-cut indicator. In those cases, you 
must be alert for changes in the behavior of your 
computer that could indicate the presence of a 
virus or a Trojan horse program. 


Don’t be fooled by forged 
addresses 


If someone complains that you've sent 
them a virus, you should always take 
the report seriously, but don’t assume 
that it’s accurate. Virus writers can 
and do craft their code so that it 
forges the source of infected e-mail 
messages. Some versions of the Klez 
virus, for instance, which first 
appeared in early 2002, search for e- 
mail addresses in the Windows 
Address Book, the ICQ database, and 
local files on the infected computer. 
The virus randomly selects one of the 
addresses it finds to use as the From 
address on messages it sends to other 
potential victims. Anyone who receives 
a copy of this virus and doesn’t know 
how it works will logically (and 
incorrectly) assume that the apparent 
sender’s computer is infected. 


The tendency of computers to do strange things 
for no apparent reason can complicate this task. 
Performance problems, system lockups, and odd 
error messages are far more likely to be caused 
by a buggy program or device driver than by a 
virus. Nevertheless, any time you observe any of 
the following symptoms, you should take steps to 
check for the presence of a rogue program: 


e Unexpected disk access. By their 
nature, Trojan horse programs 
access hard disk files when the 
local user is doing nothing. 
However, many legitimate 
programs, including several 
components of Windows, also 
access the hard disk in the 
background. In some cases—for 
example, when the Windows 
Indexing Service is building its 
catalog of files for a drive—this 
activity can take a long, long time. 
If you notice sudden bursts of disk 
activity, try to trace the responsible 
application. 


e Sudden system slowdowns. A 
virus or a Trojan horse program can 
sap system resources and make 
other activities painfully slow. 
Unfortunately, so can a wide variety 
of system configuration problems. 
If you notice performance 
problems, try to rule out the 
presence of a virus as one of the 
first steps in your troubleshooting 
process. 


e Unexpected network traffic. 
Many forms of hostile software 
attempt to hijack your network 
connection—to spread virus code to 
other computers, for instance, or to 
use a Trojan horse program’s file- 
transfer and keyboard logging 
capabilities to steal information. 
Unfortunately, a blinking red light 
on your network adapter is not a 
surefire sign of a malicious program 
at work; an increasing number of 
programs, including antivirus 
packages, include features that 
assume you have an always-on 
Internet connection and check for 
updates at regular intervals. If you 
see unexplained network traffic, try 
to identify its source. (Many full- 
featured personal firewall programs 
offer excellent tools for identifying 
and, if necessary, blocking 
unwanted network connections; see 
“Identifying Intruders” for more 
details.) 


e Changes in the size or name of 
program files. Viruses and worms 
spread by infecting other files. If 
you notice a change in the size or 
name of an executable file, the 
alteration could be a sign that the 
file has been infected (or that the 
Original file has been deleted and 
replaced with an infected file). 
Although you aren't likely to notice 
this type of change by simply 
looking through file listings, some 
antivirus and firewall programs will 


alert you when they detect changes 
that resemble virus activity. 


Troubleshooting 


Your computer is active for no 
apparent reason 


When you’re trying to figure out which 
application is responsible for a sudden 
burst of disk or CPU activity, your first 
stop should be the Processes list in 
Windows Task Manager. Press 
Ctrl+Shift+Esc and then click the 
Processes tab to display a list of all 
currently active processes, as shown 
in Figure 9-1. The CPU column shows 
what percentage of your CPU is in use 
by each process; by default, it’s 
updated every second. To see which 
processes are hogging your computer, 
click the CPU heading twice to sort in 
descending order. Scroll to the top of 
the list and watch the display; 
processes that are currently active will 
float to the top of the list. 


“-Figure 9-1. If your computer is 
behaving strangely and you 
suspect a virus, look for 
unexplained entries in this list. 


If you can’t identify an entry in the list 
of processes, don’t assume that it’s a 
hostile program. A much more likely 
explanation is that the process is a 
module from a program you installed. 
To identify the mystery process, make 
a note of its name as it appears in the 
Processes list and then use the 


Windows Search utility to find that 
executable file. Right-click the file 
icon, choose Properties, and look for 
details of the program, typically found 
on a Version tab. (If the process is 
listed as svchost.exe, the responsible 
program is running as a Windows 
service; type tasklist /svc ata 
command prompt to see the full list. ) 


The most reliable way to identify a virus, of 
course, is by scanning your system with an up- 
to-date antivirus program. This procedure will 
reliably detect any virus whose characteristics are 
included in the program’s signature files. Virus 
scanning is not foolproof, however. Be aware of 
two potential problems: 


e Undetected viruses. The process 
of creating virus signatures is 
reactive. After a new virus appears 
in the wild, software developers 
must pick it apart, analyze its 
behavior, add its characteristics to 
the signature file for their antivirus 
program, and make the new 
signature file available. Even if your 
antivirus program is configured to 
check for updates regularly, you 
could be unprotected from a new 
virus for a short period of time. This 
lapse in coverage can be extremely 
damaging in the crucial first few 
days of a widespread virus attack. 


Because new viruses can crop up at 
any time, you should never rely on 
antivirus software alone to protect 
you from potential threats. To add 


multiple layers of protection, you 
should block executable e-mail 
attachments (see Protecting 
Yourself from Hazardous 
Attachments for details) and be 
sure to install all security updates 
promptly. 


False positives. In some relatively 
rare circumstances, an antivirus 
scan can incorrectly alert you that a 
program file is infected with a virus 
when in fact the file is perfectly 
safe. False positives can usually be 
attributed to one of two problems: 
a signature file that contains an 
erroneous definition of a specific 
virus; or a heuristic scan that 
detects the activity of a legitimate 
program, such as an installer or 
disk utility, and flags it as a possible 
virus. 


Whenever your antivirus software 
sounds an alarm, you should take it 
seriously, but you should also 
consider the possibility that it might 
not be the real thing. How can you 
tell a false positive from an actual 
virus? Start by looking at the alert 
itself. If it suggests that a heuristic 
scan is responsible for the alarm, 
you know that the suspicious 
behavior doesn’t match any known 
virus in the program’s signature 
file. If the alert includes the name 
of the suspected virus, head for the 
antivirus software maker’s Web site 
and try to find additional identifying 


characteristics of that virus to 
confirm whether it’s actually 
present on your system. If you 
can’t find a definitive answer, send 
the suspect file to your antivirus 
software vendor and ask them to 
confirm whether it’s truly infected 
or a false positive. 


If you suspect that your computer has 
been infected with a virus, avoid using 
it to browse the Internet or send e- 
mail. If you are indeed infected, you 
risk spreading the virus far and wide 
by remaining connected to the 
Internet. In fact, because so many 
modern viruses can spread over 
network shares, a sensible precaution 
is to unplug the network cable 
temporarily, until you can be certain 
that your computer is clean or that 
you’ve contained the infection. Find 
another computer, one you’re certain 
is free of any tainted code, to research 
the symptoms you're experiencing; 
and use that clean computer to 
download any needed cleanup 
instructions or tools. 


The Internet is a rich source of complete and 
accurate information about viruses, worms, and 
other hostile software. Unfortunately, a random 
search of the Internet for information about the 
term “computer viruses” will also turn up a long 
list of links to sites that are incomplete, out-of- 
date, or run by scam artists. We strongly 
recommend that you start your search for 
definitive information with the vendor that 
supplies your antivirus software, because that 


company is most likely to have information and 
step-by-step instructions that are directly 
applicable to your system configuration. Virtually 
every major company that produces antivirus 
software offers a searchable Web-based list of 
viruses; we've included links to these invaluable 
information sources in the next section. In 
addition, we suggest bookmarking these two 
independent sites, which offer up-to-date, 
unbiased information about currently active 
viruses: 


e ICSA Labs’ Virus Alerts: 
http://www.trusecure.com/html/tsp 
ub/hypeorhot/rxalerts/rxrbindex.sh 


tml 


e CERT Coordination Center 
Computer Virus Resources: 


http://www.cert.org/other_sources/ 


viruses. html 


Choosing an Antivirus Program 


The only computer that’s absolutely safe from hostile software is one that’s 
been unplugged and locked away. For everyone else, the risks of computer 
viruses are too great to ignore. Given the pandemic nature of viruses and 
worms, and their astonishing ability to reproduce, the conclusion is clear: No 
serious Windows user can afford to be without effective antivirus protection. 


Even a quick survey of the marketplace turns up more than a dozen highly 
regarded antivirus packages. They’re not all created equal. Which one is right 
for you? To narrow the field, ask yourself the following questions: 


Do I need a personal or network antivirus solution? As the name implies, 
personal antivirus software is designed to run on a single computer. Network- 
based antivirus software, in contrast, usually includes a central management 
console, where you can download a single copy of updated definitions and push 
them out to other computers on the network. Network antivirus software 
makes the most sense on managed networks of 25 computers or more. 


Is the program compatible with my version of Windows? Antivirus 
utilities work by hooking directly into the Windows file system, typically using 
file-system filter drivers. Because of the profound architectural differences 
between various versions of Windows, most antivirus programs and other low- 
level utilities will not work properly unless they were designed specifically for 
your version of Windows. Despite the many similarities between Windows 2000 
and Windows XP, antivirus programs written for Windows 2000 might not work 
properly when installed under Windows XP. Insist on a guarantee of 
compatibility with your version of Windows. 


Does the virus scanning engine integrate with my e-mail program? The 
most effective protection against viruses that travel as e-mail attachments is to 
detect and quarantine them on arrival. To accomplish this task, the antivirus 
program needs to hook directly into the e-mail software. Several leading 
antivirus programs are capable of working in tandem with Outlook Express and 
Outlook 2000 or later. Before you pay for an antivirus program, make sure it 
can handle incoming e-mail properly. 


Does it integrate with my personal or corporate firewall? Increasingly, 
makers of security software are combining firewall features and virus 
protection in a single package. If you have a hardware router or firewall, it 
might be designed to work closely with a particular antivirus product. For 
instance, some Linksys routers can hook up with Trend Micro’s PC-cillin 
antivirus package. If you’re looking for several pieces of the security puzzle, an 
integrated solution could be cost-effective and easier to manage. 


Can the software be configured to update itself automatically? Unless 
you're so supremely organized that you know you'll never skip your weekly 
update, this feature is crucial. AS we noted earlier, for any antivirus package to 
be effective, it must be updated regularly. This updating works best as a 
background process that doesn’t require any intervention on your part. 


How much does the software cost? Don’t look only at the price tag of the 
software. Be sure to include subscription costs for updated virus definitions 
(typically renewed annually at about half the original cost of the software). If 
you have more than one computer to protect, budget for a separate license for 
each computer. And don’t ignore support. Some antivirus programs include 
round-the-clock support, free of any extra charges; other programs include no 
telephone support or provide only per-incident support, where a single incident 
can cost more than the original license. 


It’s never too late to switch 


Many new computers arrive with a bundle of software already 
installed. Often, this bundle includes security software such as an 
antivirus program. Is this “free” antivirus software really a good 
deal? Only if it suits your requirements and works comfortably with 
your other software. 


We recommend that you look at the full range of antivirus options, 
including the bundled software that came with your computer, and 
make your decision based on your security needs. Don’t let false 
economies dictate your decision—the average cost per computer to 
install a new antivirus program is typically between $20 and $50; 
and after the initial grace period expires, the antivirus software 
vendor will probably charge you for an annual subscription to 
updated definition files. In addition, readily available promotional 
offers can reduce the cost of a new antivirus program. If you decide 
that the bundled software is indeed your best deal, be sure to install 
the latest virus definition files immediately. 


Is a trial version available? Reviews and newsgroup postings are a helpful 
way to gather opinions from other people who have used a product. But they 
can’t substitute for direct, hands-on experience. After you narrow the 
contenders to a few finalists, see whether you can download trial versions and 
use them for 60 days. Use this test period to try different options. 


Is the software certified by ICSA Labs? The average computer user has no 
way to generate virus-infected files and e-mail messages to test an antivirus 
program, and the numbers that software makers include with their wares can 
be misleading at best. Is a program that claims to block 70,000 viruses really 
better than one that blocks “only” 50,000 viruses? Both programs almost 
certainly block every known virus likely to be found in the wild. So how do you 
know that a particular piece of software actually does what it’s supposed to do? 
Look for certification by ICSA Labs, a leading independent tester of this class of 
software. To earn certification, a program must detect 100 percent of all known 
in-the-wild viruses and 90 percent of inthe-lab viruses. You can find an up-to- 
date list of certified software at 

http://www. icsalabs.com/html/communities/antivirus/certifiedproducts.shtml. 


Run your own virus tests 


Some amateur virus-hunters maintain their own library of viruses. 
Support professionals in large organizations, who are regularly 
called on to repair infected computers, are especially tempted to 
hang on to viruses recovered from these infected computers. We 
think that keeping a virus collection is unacceptably risky behavior, 
about on a par with keeping scorpions or rattlesnakes in the garage. 
If you’re evaluating a new antivirus program and you want to 
examine how it responds when it encounters an infected file, you 
don’t need live viruses. Under the auspices of the European 
Institute for Computer Anti-Virus Research (EICAR), antivirus 
software makers have devised a standard test—a unique string of 
68 ASCII characters—that you can embed in a file to trigger a 
reaction from their programs. 


To create your own EICAR test file, use Notepad or another text 
editor to create a file that begins with the following 68 characters: 


T 


X50! PS@AP[4\PZX54 (P*) 7CC) 7} SE 


Note that the letters are all uppercase and that the third character 
is the uppercase letter O, not the digit zero. 


CAR-STANDARD-ANTIVIRUS-T! 


If your antivirus software is working and supports the EICAR test 
method, it will intercept the file as you attempt to save it; Norton 
AntiVirus 2002, for instance, displays this bright red alert: 


Four versions of this test file—an executable file, a plain-text 
file, and two .zip compressed archives—are available from EICAR’s 
Web site. To download the files and read about their proper use, 
point your browser to 


http://www.eicar.org/anti_virus test file.htm. 


The following pages contain information about 14 leading makers of antivirus 
software. The list is not exhaustive, but it does include every company we 
know that makes antivirus software compatible with both Windows 2000 
Professional and Windows XP Professional and Home Edition. If you visit all the 
Web sites, you'll detect a strong international flavor to this group; the 
companies listed come from Russia, Norway, Sweden, Finland, the United 
Kingdom, and the United States. The list is in alphabetical order. 


Aladdin Knowledge Systems 


Products: eSafe Desktop, eSafe Enterprise 


At a glance: This security software combines antivirus technology, personal 
firewall, content filtering, and desktop lockdown features. A 60-day trial 
version is available. 


Web site: http://www.aks.com 
Virus information: http://www.aks.com/home/csrt/valerts.asp 


Central Command 


Products: Vexira Antivirus (Home, Small Business, Enterprise, Government, 
and Educational editions) 

At a glance: With this easy-to-use scanning software, you can monitor e-mail, 
downloads, and shared network drives. Weekly updates are available, with 
emergency daily updates when needed. Evaluation software for each product is 
available. 


Web site: http://www.centralcommand.com 
Virus information: http://www.centralcommand.com/recent_threats.html 


Command Software Systems, Inc. 


Products: Command AntiVirus, single-user and enterprise editions 


At a glance: Command AntiVirus installs as a service to run in the 
background. It performs real-time scans of 70 file types (including compressed 
files) and on-demand scans over the Web. A free 30-day trial version is 
available. 


Web site: http://www.commandcom.com 
Virus information: http://www.commandcom.com/virus/index.cfm 


Computer Associates International, Inc. 


Products: eTrust EZ Armor, eTrust EZ Antivirus, eTrust EZ Deskshield, eTrust 
EZ Firewall 


At a glance: CAI provides a broad range of products for home users, small 
businesses, and large corporations. eTrust EZ Armor combines personal firewall 
and virus protection for home users. 


Web sites: http://www.cai.com, http://www2.my-etrust.com 
Virus information: http://www3.ca.com/virus 


ESET 


Products: NOD32 


At a glance: Provides on-demand protection and integrates with Windows 
Explorer and most POP3 clients. NOD32 can also scan Outlook databases. The 
product includes extensive update options designed for use on networks. A trial 
version is available. 


Web site: http://www.nod32.com 
Virus information: http://www.nod32.com/support/pedia.htm 


F-Secure Corp. 


Products: F-Secure Anti-Virus 


At a glance: This well-respected company offers more than a dozen versions 
of its flagship product, including personal and enterprise editions, as well as a 
Total Suite product that combines firewall and antivirus software. Evaluation 
copies are available. 


Web site: http://www. f-secure.com 
Virus information: http://www.f-secure.com/virus-info 


Grisoft, Inc. 


Products: AVG AntiVirus 6.0 (Free Edition, Professional, Server) 


At a glance: AVG includes an on-demand scanner and e-mail protection with 
automatic updates. The free edition is not available in Europe. A 30-day trial of 
the Professional version is available for download. 


Web site: http://www.grisoft.com 
Virus information: http://www.grisoft.com/html/us_alert.php 


Kaspersky Lab Ltd. 


Products: Kaspersky Anti-Virus for Home Users (Personal Pro, Personal, Lite) 


At a glance: Also known as AVP, this product from a respected company has 
an easy-to-use interface and integrates with Outlook Express; version 4.0 is 
compatible with Windows XP. 

Web site: http://www. kasperskylabs.com 


Virus information: http://www.kasperskylabs.com/news.html?tnews=20140 


Network Associates (McAfee) 


Products: McAfee VirusScan, McAfee Clinic, McAfee NetShield, McAfee 
WebShield, McAfee GroupShield 

At a glance: This huge company offers an enormous variety of antivirus 
products and online services for home users, small businesses, and enterprise 
networks. Free trial versions are available. 


Web sites: http://www.nai.com, http://www.mcafee.com, 
http://www.mcafeeb2b.com 


Virus information: http://vil.nai.com/VIL/default.asp 


Norman ASA 


Products: Norman Virus Control, Norman Personal Firewall, Norman Privacy 


At a glance: Modular design includes an on-access scanner, an on-demand 
scanner, an updating engine, and a suite of utilities. Administrators can 
configure the software to push automatic updates to clients over the Internet, 
including employees with a home office. A 30-day trial version is available. 


Web site: http://www.norman.com 


Virus information: 


http://www.norman.com/virus_info/virus_descriptions.shtml 


Panda Software 


Products: Panda Antivirus 


At a glance: This software offers comprehensive protection for business 
networks (servers and desktops). Home users can choose the Titanium or 
Platinum version, both of which offer daily updates and support Windows XP. 


Web site: http://www. pandasoftware.com 
Virus information: http://www.pandasoftware.com 


Sophos 


Products: Sophos Anti-Virus 


At a glance: This software, which is designed specifically for use on corporate 
networks, monitors disks, programs, documents, and network drives. Free 
evaluation versions are available. 


Web site: http://www.sophos.com 
Virus information: http://www.sophos.com/virusinfo 


Symantec Corp. 


Products: Norton AntiVirus, Norton Internet Security 


At a glance: This large company offers versions for home users and 
businesses of all sizes, with firewall capabilities included in the Internet 
Security bundle. The popular Norton AntiVirus integrates well with e-mail 
programs and corporate networks. Symantec’s collection of virus removal tools 
is especially noteworthy. 


Web site: http://www.symantec.com 
Virus information: http://www.sarc.com 


Trend Micro, Inc. 


Products: PC-cillin, OfficeScan, HouseCall 


At a glance: This company provides scanning solutions for home users and 
businesses. The HouseCall service offers a free Web-based scan to check for 
viruses. 


Web site: http://www. antivirus.com 
Virus information: http://www. antivirus.com/vinfo 


Protecting Your Computer from 
Hostile Software 


Unfortunately, no one has yet designed a “silver 
bullet” that can protect your computer from all 
known threats. To effectively block the many 
varieties of malicious code that you're likely to 
encounter, you need to implement a 
comprehensive security program that consists of 
the following procedures: 


Train every person who uses your computer 
or network At a minimum, family members and 
employees should know not to open unexpected 
attachments and not to execute software they 
download from the Internet until they have 
scanned it for viruses. (For more details, 
including a checklist that you can print out for 
users to keep handy, see Training Users to Avoid 
Viruses.) 


Install antivirus software and keep it 
updated Installing an antivirus program is a two- 
part process. The initial setup enables the 
antivirus scanning engine—the code that checks 
files for possible viruses. The most important part 
of the package is the database of virus definitions 
(sometimes called the signature file). After 
installing an antivirus package on a new 
computer, update it to the latest definitions 
immediately. If the program has an automatic 
update feature, configure it to install new updates 
at least weekly. 


Keep your system up to date with the latest 
security patches The most destructive viruses 
work by exploiting known vulnerabilities in e-mail 
programs and Web browsers; on an unpatched 
system with outdated or defective antivirus 


software, one of these viruses can run 
automatically when you view a Web page or click 
on an e-mail message. To prevent this nightmare 
scenario, use Windows Update regularly and 
install security updates as soon as they’re 
available. Security patches are especially crucial 
for computers running Internet services, such as 
a Web server or an FTP server. (For details on 
how to download and apply patches, see Keeping 
Current with Windows Update.) 


Configure your computer to block potentially 
dangerous attachments that arrive via e- 
mail Many recent-vintage e-mail programs, 
including Outlook Express and Outlook, allow you 
to completely block some or all attachments that 
have the potential to harm your system. You can 
also add this capability via third-party software; 
the MailSafe feature in ZoneAlarm Pro (available 
at http://www.zonelabs.com), for instance, 
intercepts attachments that arrive via e-mail and 
lets you decide how to handle them. See Blocking 
Dangerous Attachments, for more details about 
your options. 


Install a firewall program that can detect 
and block unsolicited outbound connections 
The rudimentary firewall built into Windows XP 
offers excellent protection against unwanted 
intruders, but it does nothing to detect programs 
that try to send data from your computer. A 
firewall program with two-way protection can 
alert you to Trojan horse programs and can also 
help you detect “spyware”—programs that 
surreptitiously connect to the Internet without 
your knowledge or approval. Firewalls also can 
offer protection against blended threats. 


Back up your data regularly If, despite your 
best efforts, a virus or other hostile program 


manages to slip through your defenses and cause 
irreparable damage to your computer, you might 
be forced to reformat and start over. This process 
is never painless, but a good recent backup can 
greatly ease the sting. 


Don’t rely on a single layer of 
protection 


Protecting yourself from malware 
requires that you accept a few 
unpleasant truths: Antivirus software 
is not perfect. Even well-trained, 
experienced computer users (like you) 
can slip up. New vulnerabilities can 
result in attacks for which you’re not 
prepared. A healthy respect for your 
enemy is important. If you think you 
can do without antivirus software 
because you’re smarter than the 
cyber-hoodlums who write viruses and 
worms, you're practically daring them 
to take over your computer, and they 
have a better chance than you think of 
succeeding. To keep your computer 
safe from hostile software, it’s 
important that you use more than one 
layer of protection and that you 
maintain constant vigilance against 
new threats. 


Training Users to Avoid Viruses 


Your first line of defense against any hostile 
software doesn’t require any special hardware or 
software. The single most important precaution 
you can take is to train every user on your 
network (including yourself) to spot the warning 
signs of suspicious software. Make sure that 
every user understands the essential principles of 
safe computing. Print out a copy of these 
precepts (you can copy them from the electronic 
edition of this book, found on the companion CD) 
and post them near your computer: 


e Do not open any file attached to 
any e-mail message unless you 
know the sender and you are 
expecting the attachment. If you 
receive an attachment from an 
unknown sender, delete it 
immediately. Be suspicious of any 
attachment, even if it was 
apparently sent by a friend, 
relative, or business associate, and 
do not open the attachment unless 
you are absolutely certain that it is 
safe to do so. 


Never attach a file to an e-mail 
message without including an 
explanation. At a minimum, you 
should explain what the attachment 
is and why you're sending it. Don’t 
use generic text (“Hi, here’s the 
attachment I promised!”) that could 
just as easily have been generated 
by a mass-mailing virus. A personal 
note of a single sentence (“George, 


this is the list of vacation rentals I 
promised to send you when we 
spoke yesterday”) can reassure a 
recipient that the attachment is 
legitimate. 


Zip attachments for safety’s sake 


When you attach files to e-mail 
messages, you run the risk that the 
other person will be unable to open 
the file, especially if you’re sending an 
executable file to someone who’s 
using Outlook 2000 or 2002. To 
ensure that the files make it to your 
recipient safely, use a Zip-compatible 
compression program to compress 
them into an archive file. This 
precaution has a second benefit as 
well: “zipping” the file reduces its size 
and thus lessens the time it takes to 
send and receive as well as the 
possibility that you'll run afoul of size 
restrictions imposed by the recipient’s 
Internet service provider. 


e When in doubt, check it out. If 
you receive a suspicious or 
unexpected attachment, contact 
the sender and ask for an 
explanation. Pick up the phone, use 
instant messaging software, or use 
the Reply button to send an e-mail 
message. Be especially suspicious if 
the message that accompanies the 
attachment includes a generic 
exhortation to open the attached 
file (“You've got to see these 


pictures from my party!”). A quick 
visit to a reputable virus alerts Web 
site could help you determine 
whether the message and 
attachment are characteristic of a 
known virus. (For direct links to 
virus alerts, see the alphabetical 
listing of software companies in 
“Choosing_an Antivirus Program.”) 


If it doesn’t check out, delete it. 
If you can’t reach the sender and 
you aren’t comfortable opening the 
attachment, hit the Delete key. The 
potential damage and the hassle of 
cleaning up after a virus infection 
greatly outweigh any possible 
benefit from an unknown file. 
Besides, if you learn later that the 
attachment was truly important, 
you can always ask the sender for a 
new copy. 


Never install a patch or update 
you receive via e-mail. If you 
receive an e-mail message that 
seems to be from Microsoft or 
another software maker with an 
attachment that purports to be a 
security patch, delete it 
immediately. This is a favorite tactic 
of virus writers. Reputable software 
makers post patches on their Web 
sites and send e-mail alerts that 
describe the patch and include a 
link to the download site. (The only 
exception to this rule is if you’re 
troubleshooting a problem with a 
legitimate Support person who 


sends you a file containing an 
unpublished hotfix or registry file to 
help you solve the problem.) 


e Never accept a file sent over an 
Internet messaging service 
unless you're certain the file is 
safe. If you visit sites where online 
vandals share tools and techniques, 
you quickly learn that ICQ, AOL 
Instant Messenger, and Windows 
Messenger are favorite transmission 
vectors for Trojan horse programs 
disguised as MP3 files or graphics. 
Children are especially vulnerable 
to this sort of attack and need to be 
warned about the dangers of 
exchanging files with friends and 
strangers alike. 


Use test files to educate users 


One powerful technique you can use 
to educate inexperienced users, 
especially children, is to send them an 
e-mail attachment that contains a fake 
virus file with the EICAR test 
(described in “InsideOut: Run Your 


Own Virus Tests.”) Use this technique 
to demonstrate what they’re likely to 
see when their antivirus software 
detects a real virus; it’s much easier 
to discuss the proper response to virus 
alerts with a safe test virus than to 
wait until the user receives a real virus 
and possibly panics. 


Blocking Dangerous Attachments 


In a perfect world, your antivirus software will 
reject any miscreant that tries to sneak in as an 
e-mail attachment, either as it arrives or when 
you try to open or save the infected file. But that 
precaution can fail if your virus definitions are out 
of date or your antivirus software is temporarily 
disabled. If you’re rightly concerned about that 
possibility, add a second layer of protection in the 
form of software that blocks all attachments that 
might contain hostile code. 


You might already have access to an effective 
attachment-blocking system. If your primary e- 
mail program is Outlook Express 6, Outlook 2000 
with Service Pack 2, or Outlook 2002, this 
capability is built into the program you use to 
download and read e-mail. In Outlook 2002, in 
fact, attachment blocking is hard-wired into the 
program and can be turned off only with the help 
of third-party utilities. (For a complete description 
of the features and limitations of attachment 
blocking in Microsoft e-mail clients, see Protecting 
Yourself from Hazardous Attachments. ) 


If you prefer a non-Microsoft e-mail program, or 
if the attachment-blocking capabilities of Outlook 
or Outlook Express are unacceptable, you have at 
least two alternatives: 


e If you run your own mail server, 
you can block or quarantine 
potentially dangerous attachments 
at the gateway where e-mail enters 
your network. Many e-mail server 
programs include this capability as 
a configuration option, or you can 
install a separate module, such as 


GFI’s Mail Essentials for 
Exchange/SMTP Gateways 
(http://www.gfi.com). On all but 
the smallest networks, server- 
based attachment-blocking tools 
are vastly preferable to software 
that must be installed, configured, 
and kept running on each individual 
desktop. 


e On a single computer, you can use 
ZoneLabs’ ZoneAlarm Pro, whose 
MailSafe option mirrors the 
attachment-blocking capabilities of 
Outlook 2002, while still allowing 
you to decide which attachments 
are Safe to save or open. 
ZoneAlarm Pro works with any 
POP3 or IMAP e-mail client to 
intercept and quarantine any 
attachment that might be harmful, 
based on a customizable list of 46 
file name extensions. (Don’t 
confuse this capability with the 
limited MailSafe feature in the free 
ZoneAlarm firewall product from 
the same company, which blocks 
only files with the .vbs extension.) 


Table 9-1 lists the file name extensions that 
ZoneAlarm Pro considers potentially dangerous, 
breaking them down into categories by type of 
file. A comparison with Table 10-1, where we list 
the equivalent settings for Outlook 2000 and 
Outlook 2002, shows that the two lists are similar 
but not identical. For instance, ZoneAlarm Pro 
blocks files whose names include the extensions 
.dbx and .nch, both of which are used for Outlook 
Express data files (each Outlook Express folder 


has its own data file and index), as well as 
Windows Media Player skins (.wms extension); 
Outlook 2002, on the other hand, blocks Outlook 
XP settings files (.ops), which ZoneAlarm Pro 
ignores. Otherwise, the two lists are remarkably 
similar. 


Table 9-1. File Types Blocked by ZoneAlarm Pro 


File Name 


Extensions DESCTIPLIOT 


Type of File 


Executable .com, .exe, Executable files 


files and .msi, .msp, are among the 
program .pif, .scr most dangerous 
installers of all file types 


because they 
can perform 
literally any task 
the user has 
permission to 
do. The .scr 
extension 
identifies a 
screen Saver, 
which can be 
programmed to 
perform harmful 
actions. 


Type of File 


Batch files 
and 
shortcuts 


File Name 
Extensions 


.bat, .cmd, 
Ink, .scf, 
„url 


Description 


Batch files 
(including those 
with the .cmd 
extension aimed 
at Microsoft 
Windows 
NT/2000/XP) 
can call any 
executable 
program, as can 
shortcuts. The 
.url extension 
(Internet 
shortcuts) is 
banned because 
it can be used to 
disguise exploits 
that affect Web 
browsers, such 
as buffer 
overrun attacks. 


File Name 


Wipe eu Gils Extensions 
System inf, .ins, 
configuration .isp, .prf, 
files reg 


Script and .bas, .jS, 


Microsoft .jse, .mst, 

Visual Basic .sct, .vb, 

files .vbe, .vbs, 
.WSC, .WSf, 
.wsh 


Description 


These files can 
alter crucial 
portions of the 
Windows 
registry, 
including those 
related to 
Microsoft Office; 
.ins and .isp files 
can change 
Internet 
connection 
settings. 


Script files that 
use the JScript 
or VBScript 
language can 
perform a 
startling array of 
destructive 
actions. Internet 
Explorer security 
settings block 
most damage, 
but 
vulnerabilities 
exist and can be 
exploited on an 
unpatched 
system. 


._ File Name 
UES eS Extensions 
Shell scrap .shb, .shs 
objects 


Media Player .asx, .wms 
files 


Description 


Scrap objects, 
introduced in 
Windows 95, are 
rarely used 
today but are 
still supported 
by Windows 
2000 and 
Windows XP. 
Because a scrap 
object can 
contain an 
embedded 
executable 
program, this 
file type is 
considered very 
dangerous, and 
in fact one wide- 
spread virus 
(VBS.Stages.A) 
used this 
technique 
successfully. 


These file types 
can exploit 
vulnerabilities in 
Windows Media 
Player. 


File Name 


Type of File Extensions 


System files .chm, .cpl, 
that can .crt, .hlp, 
contain .MSC 
exploits 

Outlook .dbx, .nch 
Express data 

files 


Description 


This group 
consists of Help 
files, console 
objects, security 
certificates, and 
other types of 
files that 
typically contain 
data but can be 
crafted to exploit 
vulnerabilities in 
Windows. 


By tampering 
with the 
contents of mail 
folders, a virus 
writer could 
sneak hostile 
code onto a 
machine. 


File Name 


Extensions PAIS A AS 


Type of File 


Microsoft .ade, .adp, Because 
Access data .mda, Microsoft Access 
and program .mdb, can be used to 
files .mde, .mdz develop stand- 
alone 
applications, 
files in this 
category are 
considered 
dangerous and 
should be 
treated with 
Suspicion. 


Photo CD .pcd Scripts that can 

image be included in 
this file type are 
potential sources 
of attack. 


As Table 9-1 makes clear, hostile code can be 
hidden in an astonishing number of file types, not 
only in executable files and scripts. The use of 
double file extensions (described in “How 
Malicious Software Attacks Your Computer") 
makes it even more difficult to distinguish 
between safe files and those that are potentially 
damaging. 


If you turn on the MailSafe feature in ZoneAlarm 
Pro to block access to dangerous file 
attachments, the program intercepts all incoming 
file attachments; if the file name extension is on 
the MailSafe list, the program changes the 
extension to one that is registered to ZoneAlarm. 


A file attachment with the extension .exe, for 
instance, is renamed using the extension .zl9. 
When you attempt to open that file, ZoneAlarm 
Pro displays the dialog box shown in Figure 9-2, 
warning you that the file might be unsafe. You 
can then choose whether to save the file for 
further examination, open it, or delete it. 


“-Figure 9-2. ZoneAlarm Pro intercepts 
potentially dangerous file attachments based 
on their file name extension; the program 
works with all POP3 and IMAP e-mail 
programs. 


Look inside a script file 


When you receive a script file as an 
attachment to an e-mail message, 
how do you know it’s safe? If you have 
a basic knowledge of how scripts 
work, you can examine the file in a 
text editor before deciding whether to 
execute it. You can open a script file 
using Notepad or any text editor; you 
could also rename the script file using 
the .txt file name extension to ensure 
that it opens in Notepad rather than 
being inadvertently run when you 
double-click the file icon. Note that 
this precaution will not be effective 
with script files that have been 
encrypted 


Using Backups and System Restore 


When a virus attacks your computer, one of the 
first actions it typically takes is to infect other 
files. If the virus remains undetected for days or 
weeks, you could find that some of the infected 
files have been copied as part of your regular 
backups. If you use Windows XP, the System 
Restore feature, which takes regular snapshots of 
system files, can also keep copies of infected 
files. The risk? After you successfully clean up the 
infection, you restore your backed-up data files, 
only to discover that doing so inadvertently 
reinfects your computer. 


To avoid this frustrating scenario, follow this 
advice: 


e Always perform a complete virus 
scan before performing a full 
backup. If you schedule both tasks 
weekly, be sure to run the virus 
scan task before the backup task. 


e After cleaning up a virus infection, 
install your antivirus software and 
the latest virus definitions before 
restoring any backed-up files. This 
precaution ensures that the 
antivirus program will detect any 
infected files in your backup set as 
they’re restored. 


Because of the design of Windows, it is not 
possible to repair or replace infected files saved 
in the System Volume Information folder during a 
System Restore operation. Antivirus programs 
can detect the presence of a virus in this location, 
but they can’t clean it up. The solution is to 


completely purge all System Restore checkpoints 
and their accompanying saved files. To do so, 
follow these steps: 


1. Open Control Panel and double-click 
the System icon. 


2. Click the System Restore tab and 
select the Turn Off System Restore 
On All Drives check box. (If your 
computer has only a single volume, 
this text will read simply Turn Off 
System Restore.) 


3°°Click Apply, and then click OK to 
close the dialog box. 


4. Restart your computer. 


5. Update your antivirus software (the 
System Restore procedure may 
have removed recent updates to 
the scanning engine). Runa 
complete scan for viruses, using the 
most current virus definitions. 


6. After verifying that the system is 
free of any infections, repeat steps 
1-4, this time clearing the Turn Off 
System Restore On All Drives check 
box. 


Repairing an Infected System 


What should you do if you suspect that your 
computer has been infiltrated by a virus? For 
starters, don’t panic. If you indiscriminately begin 
deleting files or mucking with the registry, you 
could wind up making your ultimate cleanup job 
much more difficult. Follow the recovery 
instructions listed here to work your way through 
the cleanup process safely, without losing your 
sanity. 


Step 1: Positively identify the infection. The 
name of a file attachment or the text of the 
message that accompanied it might give you a 
clue as to the identity of the virus you’ve 
contracted. Before you proceed further, confirm 
the exact diagnosis. Read the description of the 
virus in any of the online information sources 
listed in “Choosing_an Antivirus Program,” and 
verify all symptoms to be sure. 


Don’t rush to judgment 


Most major viruses mutate over time, 
with later versions of a specific attack 
often fixing bugs found in the original 
and adding new wrinkles. It’s likely 
that the removal instructions for 
multiple strains of a single virus will 
vary in small but significant details. If 
you follow instructions that apply to a 
strain different from the one that 
infected your computer, you could 
leave bits of the infection behind, 
where they can reinfect your computer 
after you think you’re up and running 
again. Take the time to make an 
accurate diagnosis. If you’re 


uncertain, contact the support 
professionals at the company that 
makes your antivirus software. 


Step 2: Isolate the infected computer. 
Because viruses can spread over networks and 
via internal e-mail servers, you should promptly 
pull the plug on your network and disconnect any 
modems to prevent further damage. If the virus 
has destructive potential, back up essential data 
files before you begin repairs. 


Step 3: Find authoritative removal 
instructions. From an uninfected computer, visit 
an authoritative source and find detailed removal 
instructions. Print out the instructions and keep 
them handy as you work. Carefully read each 
step before beginning the cleanup. 


Step 4: Gather your cleanup tools. You might 
need a bootable floppy disk or your original 
Windows CD to boot into Safe Mode. The removal 
instructions should help you decide which tools 
are needed. 


Step 5: Begin the cleanup process. Depending 
on the virus, this task could take minutes, or it 
could require the better part of a day. The 
instructions you download in step 3 should help 
you prepare for this step. 


e Be prepared to delete all infected 
files and replace them with backup 
copies that are certain to be clean. 


e If you're lucky, one of the leading 
antivirus software companies has 
created an automated removal tool 
that can automate some or all of 
the cleanup process. Symantec 
offers an excellent collection at 


http://www.sarc.com/avcenter/tool 
s.list.html. Download the removal 
tool and its instructions and save 
them, preferably to a CD or other 
removable media. This procedure is 
most effective when the virus that 
attacked you is relatively simple 
and its actions are thoroughly 
understood. 


e If no removal tool is available, 
follow the step-by-step removal 
instructions to the letter. Do not 
rush through this process, and 
don’t skip any steps. 


e For servers and workstations that 
contain critical data and programs, 
the possibility that the system may 
remain compromised by an 
unknown virus component such as 
a Trojan horse is too great to rely 
on simple removal techniques. In 
these cases, the preferred option is 
to reformat the drive, reinstall the 
operating system and all 
applications from scratch, and then 
restore any data from clean 
backups. 


Step 6: Reinstall antivirus software. After 
completing cleanup, this should be your first task. 
Use trusted media (the original CD), or a fresh 
download from an uninfected computer. Install 
the latest updates and rescan all local disks to 
verify that the virus is completely gone. 


Step 7: Restore data and programs from 
backup copies. Here, too, use only trusted 
media to reinstall programs. If you suspect that 


the original installation files might have been 
compromised by the virus, find fresh copies. Be 
especially vigilant for “data diddling” viruses, 
which can tamper with formulas in spreadsheets 
or alter text in documents. The notorious Melissa 
virus, for instance, randomly inserted a quote 
from Bart Simpson (“Twenty-two points, plus 
triple-word-score, plus fifty points for using all 
my letters. Game’s over. I’m outta here.”) into 
infected documents. 


Step 8: Scan all other computers on your 
network. Before you reconnect to your network, 
confirm that other computers are free of 
infection. This avoids the possibility that a 
blended threat will reinfect the newly cleaned-up 
computer. After you’re certain that everything is 
back to normal, it’s OK to reconnect. 


Chapter 10 


Keeping Your E-Mail Secure 


It might be indispensable, but electronic mail can 
also be a major source of security concerns. 
Attachments to e-mail messages are the principal 
medium through which viruses, worms, and 
Trojan horses spread from one computer to 
another. Malicious scripts or insecure ActiveX 
controls in HTML-encoded messages can be 
harmful to your computer’s health. Unencrypted 
message content can be subject to unwanted 
inspection, both while the message is in transit 
and after it has reached its destination. People 
who don’t have your best interests at heart can 
impersonate you, sending messages to others 
that appear to have come from you. And 
messages can be altered by third parties while en 
route to recipients. 


Fortunately, you can take relatively simple 
measures that will counter these various threats. 
For example, you can virtually eliminate the 
hazards associated with message attachments by 
applying a virus scanner to the attachments 
before opening them. (The current version of 
Microsoft Outlook provides additional protection 
against dangerous attachments, as you'll see in 
this chapter.) You can use security zones in 
Microsoft Internet Explorer to guard against 
rogue HTML in e-mail messages that you receive 
in Outlook or in Microsoft Outlook Express. Public 
key encryption can ensure the privacy of your 
communications, and digital signatures can 
guarantee both the authenticity and the integrity 
of your e-mail. 


In this chapter, we assume that you’re reading, 
composing, and managing your e-mail using an 


up-to-date Microsoft client program—Outlook 
2000, Outlook 2002 (part of Microsoft Office XP), 
or Outlook Express version 5 or later. If you use a 
different e-mail program, such as Netscape 
Messenger or Eudora, many of the basic 
principles still apply, but the step-by-step 
procedures for tasks such as blocking dangerous 
attachments and installing digital certificates are 
different. 


Protecting Yourself from 
Hazardous Attachments 


Every e-mail attachment is a potential threat to 
your computer’s security. AS we emphasize in 
Chapter 9, “Stopping Viruses, Worms, and Trojan 
Horses,” you should be suspicious of any 
unexpected attachment from any source, even if 
it appears to be from a known and trusted 
contact. Regardless of its origin, never run or 
open any attachment from your e-mail program 
unless it has passed muster with an up-to-date 
virus checker. Even if your antivirus program 
does not scan inbound e-mail messages, it should 
intercept any infected attachment when you try 
to run or save it—that is, if you have your 
antivirus program set to scan all files as they're 
created or saved. If you’re not certain that your 
antivirus software is protecting you automatically, 
save all attachments to your hard disk and scan 
them manually before you open them. 


This advice applies to document files as well as 
executables. The macro languages that are 
incorporated into modern applications (for 
example, Microsoft Visual Basic for Applications, 
which is supported by Office and many other 
programs) allow full-fledged programs to be 
embedded in seemingly innocent document files. 
If you allow a macro to run unchecked, it can 
access essential resources on your system, 
including your disk drives and your address book. 
Hence, a Microsoft Excel workbook (.xls) or a 
Microsoft Word document (.doc) has the potential 
to do as much damage as an executable program 
(.exe). You should be most concerned with macro 
security if you’re using an older version of 
Microsoft Office, especially Office 97. Macro- 


based viruses are much less troublesome in 
Office XP and in Office 2000 when the 
appropriate security updates are installed; in 
both cases, macro security levels are set to High 
by default, meaning that unsigned, untrusted 
macros simply won’t run. 


Attachment and Automation Security in 
Outlook 


If you use Outlook as your e-mail client, you 
might already enjoy a considerable degree of 
protection against malicious attachments— 
perhaps even more protection than you need or 
want, thanks to the Outlook E-Mail Security 
Update. This sweeping set of restrictions, which 
was originally released as an add-on for Outlook 
98 and Outlook 2000, is incorporated into a 
default installation of Outlook 2002 and is 
automatically added to Outlook 2000 when you 
install Microsoft Office 2000 Service Pack 2 (SP- 
2), is designed to prevent viruses from using 
Outlook to propagate themselves. In particular, 
this security update does the following: 


e Blocks access to attachments of a 
large number of file types. 


e Changes the default security zone 
for HTML-formatted e-mail from 
Internet to Restricted Sites. 


e Disables script stored directly in an 
Outlook item. 


e Implements protective measures 
that intervene and require the 
user’s consent when any program 
attempts to send e-mail on behalf 
of an Outlook user, to access e-mail 
addresses from a user’s message 
store or Contacts folder, or to save 
user messages as files. 


You can download a Microsoft white 
paper on the Outlook 98/2000 E-Mail 


Security Update from 

http://www. microsoft.com/office/ork/ 
2000/download/OutSecWP. doc. 
Changes to the security update for 
Outlook 2002 are documented in 
Knowledge Base article Q290497. A 
detailed and balanced description of 
the security update from a non- 
Microsoft perspective, as well asa 
wealth of other information about 
every aspect of Outlook, is available at 
http://www. slipstick.com. 


Taken as a whole, the Outlook E-Mail Security 
Update provides remarkably effective protection 
against viruses and worms. To the best of our 
knowledge, in fact, this update alone would have 
protected you from every virus found in the wild 
since this patch was introduced. Some Outlook 
experts have called the security update 
“draconian” because its restrictions apply with 
equal force to experts and novices alike. But if 
you are willing to trade off some minor 
inconvenience for thorough virus protection, this 
is an essential update. 


Determining Whether You Have the 
Security Update 


Your version of Outlook includes the security 
update if any of the following is true: 


e You're using Outlook 2002 or any 
subsequent version. 


e You’re using Outlook 2000 version 
9.0.0.4201 or later. 


e You’re using Outlook 98 version 
8.5.7806 or later. 


To determine your version number, choose Help, 
About Microsoft Outlook. The version number 
appears near the top of the About dialog box. 


How the Security Update Handles File 
Attachments 


The most noticeable effect of the security update 
is that attachments of any file type included on 
Outlook’s prohibited list become inaccessible in 
the Outlook e-mail client. You can neither open 
nor save such attachments. If you receive a 
message containing one or more proscribed 
attachments, Outlook identifies the blocked items 
in an informational header that appears above 
the message, as shown in Figure 10-1. The 
attachments remain attached; Outlook 
quarantines them, making them inaccessible to 
you, but it does not get rid of them until you 
delete the message containing the attachments. 


Outlook also quarantines files attached to 
messages that were received before you installed 
the security update if their file type is on the 
proscribed list. Thus if you upgrade to Outlook 
2002 from an earlier version of Outlook, some of 
your existing e-mail attachments might become 
inaccessible. 


“-Figure 10-1. Executable attachments are 
blocked in Outlook 2002 and in versions of 
Outlook 2000 that include the security 
update. 


Table 10-1 lists the file types blocked by the 
Outlook E-Mail Security Update. Note that in 
Outlook 2002—but not in Outlook 2000—you can 
customize this list. (For information about 
altering the blocked attachment list, see 


Customizing the Security Update in Outlook 
2002.) 


Table 10-1. File Types Blocked as Attachments 
by the Outlook E-Mail Security Update 


Extension File Type 


.ade Microsoft Access project 
extension 

.adp Microsoft Access project 

.bas Microsoft Visual Basic class 
module 

.bat Batch file 

.chm Compiled HTML Help file 

.cmd Microsoft Windows command 
script 

.com MS-DOS application 

.cpl Control Panel extension 

.crt Security certificate 

„exe Program 

„hlp Microsoft Windows Help file 


„hta HTML application 


Extension File Type 


„inf Setup Information file 

JINS Internet Settings file 

.iSp Internet Communication 
settings 

js Microsoft JScript (JavaScript) 
file 

.jse Microsoft JScript Encoded Script 
file 

Ink Shortcut 

.mda Microsoft Access add-in 
program 

.mdb Microsoft Access program 

.mde Microsoft Access MDE database 

.mdt Microsoft Access workgroup 


information2 


.mdw Microsoft Access workgroup 
information 


.mdz Microsoft Access wizard 
program 


Extension File Type 


MSC 


„msi 


.msp 


.mst 
.Ops 


.pcd 


. pif 


.prf 


reg 


.SCf 


SCH 


.SCt 


Microsoft Common Console 
Document 


Microsoft Windows Installer 
package 


Microsoft Windows Installer 
patch 


Visual Test source file 
Microsoft Office XP settings? 


Photo CD image or Visual Test 
compiled script 


Shortcut to MS-DOS program 


Microsoft Outlook profile 
settings+ 


Registration entries (registry 
updates) 


Microsoft Windows Explorer 
command 


Screen saver 


Microsoft Windows Script 
Component 


Extension File Type 


.shb Shell Scrap Object 

.shs Shell Scrap Object 

„url Internet shortcut 

.vb Microsoft VBScript file 

.vbe Microsoft VBScript Encoded 
Script file 

.vbs Microsoft VBScript Script file 

.WSC Microsoft Windows Script 
Component 

.wsf Microsoft Windows Script file 

.wsh Microsoft Windows Scripting 


Host Settings file 


If you originate or forward a message containing 
proscribed attachments, Outlook warns you that 
your recipients might not be able to open those 
attachments but allows you to go ahead and send 
the attachments if you choose to. Forwarding a 
blocked attachment to yourself at a server-based 
e-mail account—a Hotmail account, for example— 
and then opening the forwarded message outside 
Outlook is one way to open a blocked attachment 
that you know is safe. For other workarounds, 
see Workarounds for the Security Update. 


How the Security Update Handles 
Microsoft Office Documents 


You'll notice that the only Microsoft Office 
document types listed in Table 10-1 are those 
created by Microsoft Access. Documents created 
in Excel, Word, Outlook, or Microsoft PowerPoint 
are exempt, even though Visual Basic for 
Applications, the macro language supported by all 
Office applications, has often been used to create 
viruses. 


The security update does not block Excel, Word, 
Outlook, and PowerPoint documents because 
these applications include their own macro 
security mechanism. These Office applications let 
you set macro security to one of three levels: 
High, Medium, or Low. The effects of these 
settings are as follows: 


e High. Only those macros that are 
digitally signed by sources you have 
explicitly added to a list of trusted 
sources are allowed to run. The 
Office application disables all other 
macros. (If you open a file 
containing a signed macro from a 
source that you have not explicitly 
trusted, the application gives you 
the opportunity to add the source 
to your trusted sources list.) 


e Medium. The application prompts 
you whenever you open a file 
containing one or more macros 
from a source that you haven’t 
explicitly trusted. 


e Low. All macros are allowed to run. 


(In addition to these three settings, 
Office applications provide a check 
box that lets you accept all macros 
in currently installed add-ins and 
templates. ) 


The Outlook E-Mail Security Update changes the 
macro security setting in Excel, Word, Outlook, 
and PowerPoint to High. If you regularly create 
your own macros or work with documents 
containing macros created by trusted associates, 
you'll probably find this default setting to be a 
nuisance. Changing the setting to Medium should 
give you an acceptable level of security. If you 
regularly write your own macros, you might want 
to switch to Low, provided you have an up-to- 
date virus checker that scans inbound e-mail. Be 
advised that Microsoft does not recommend this 
setting, and we agree that using this low level of 
protection is a bad idea. Serious macro 
developers have a much safer option: add your 
own certificate and use it to sign any macros you 
create. If you share macros with other people, 
you can share the certificate as well. (For more 
details on installing certificates, see Chapter 4, 
“Installing_and Using Digital Certificates.” 


To change the macro security setting in Word, 
Excel, Outlook, or PowerPoint, choose Tools, 
Macro, Security. Set the level you want on the 
Security Level tab. To modify the trusted sources 
list, click the Trusted Sources tab. Note that 
although each application’s security-level setting 
is independent of the other applications’ settings, 
a source trusted in one application is trusted in 
all. 


The Outlook Object Model and the 
Security Update 


Outlook’s object model—the collection of 
methods, properties, forms, and other internal 
elements that Outlook makes available for use by 
external programs—provides a convenient way 
for programmers to tap into Outlook and add e- 
mail features to their applications. However, the 
Outlook object model offers no easy way to 
distinguish between a legitimate program and a 
virus or other hostile intruder. As a result, in 
addition to blocking potentially dangerous 
attachments, the security update is designed to 
place a roadblock between Outlook and 
executable programs that attempt to access its 
object model. This layer of protection prevents 
rogue programs from propagating themselves by 
sending e-mail or accessing information from 
your messages or address books. Unfortunately, 
it has the side effect of interfering with legitimate 
applications and macros. It’s particularly likely to 
hamper mail-merge operations and the exchange 
of information between Outlook and handheld 
devices running older versions of Windows CE or 
the Palm OS. (The latest versions of the 
operating system software for popular handheld 
devices do not suffer from these problems.) 


If a process attempts to access your address 
book information, Outlook displays the warning 
shown here: 


“If you're sure that the attempted access is 
legitimate, you can allow the operation to 
proceed by selecting the check box and 
specifying a maximum duration. You can permit 
access for up to 10 minutes. 


If a process attempts to send e-mail using the 
Outlook object model, Outlook displays a similar 
prompt. In this case, however, the Yes button 
(which would allow the action to proceed) is 


disabled for five seconds. During this interval, 
you can click only No or Help. If a program uses 
Outlook’s Send method repeatedly (as, for 
example, in an e-mail or fax mail-merge 
process), you must answer this prompt for each 
addressee—and wait five seconds each time. 


In short, the Outlook E-Mail Security Update 
effectively precludes the use of Outlook for 
certain types of mail-merge operations. If you’re 
not yet using the update and you’re thinking 
about acquiring it, you'll want to bear this in 
mind. 


Adding the Security Update to Your 
System 


As we noted earlier in this chapter, you can 
acquire the Outlook E-Mail Security Update either 
by upgrading to Outlook 2002 (or Office XP) or by 
installing Office 2000 Service Pack 2. With an 
installation of Outlook 2000 or Outlook 98, you 
can also add the security update manually. Before 
you take any of these steps, be sure you have 
evaluated the tradeoffs that come with the extra 
security the update provides. (For an analysis of 
these tradeoffs, see 

http://www. slipstick.com/outlook/esecup.htm. ) 
You can’t remove the security update from 
Outlook 2002 (although you can customize the 
list of forbidden attachments). Removing the 
update from Outlook 2000 or Outlook 98 is not 
simple, but it is possible. 


To add the security update to Outlook 2000, you 
must first have installed Office Service Release 1 
(SR-1 or SR-1a). To determine whether you’ve 
already done this, choose Help, About Microsoft 
Outlook. The top line of the About dialog box will 


say SR-1 if you’ve installed either SR-1 or SR-1a. 
(SR-1a includes SR-1 and an additional patch for 
users who have upgraded from Microsoft 
Windows NT 4; if you’re installing Office 2000 
from scratch, you should download this version of 
the service release. For information about 
obtaining SR-1a, see Microsoft Knowledge Base 
article Q245025, or visit 

http://support. microsoft.com/default.aspx? 
scid=kb;EN-US;q245025). 


To download the security update, after you have 
installed SR-1 or SR-1a, point your browser to 
http://office.microsoft.com/downloads/2000/Out 
2ksec.aspx. To download the security update for 
Outlook 98, go to 
http://office.microsoft.com/downloads/9798/Out 


98sec. aspx. 


If you install the security update for Outlook 2000 
or Outlook 98 and then change your mind about 
using it, you can remove the update as follows: 


e Outlook 2000. Open Add/Remove 
Programs in Control Panel and 
uninstall Office 2000. You then 
need to reinstall all of Office. 


e Outlook 98. Open Add/Remove 
Programs in Control Panel and 
uninstall the update. 


Customizing the Security Update in 
Outlook 2002 


Administrators working with Outlook 2002 ina 
Microsoft Exchange Server environment can tailor 
the security update to add or remove restrictions 
for particular users. To do this, you need the 
latest version of Admpack.exe, which is available 


on the Office XP CD and as a download from 
Microsoft. For details, see 


http://www. microsoft.com/office/ork/xp/four/out 
g03.htm. 


Users of Outlook 2002 can modify the registry to 
remove particular file types from the list of 
proscribed attachments. File types that you 
“unprotect” in this manner are demoted from 
Outlook’s “Level 1” list (the list shown in Table 
10-1) to a “Level 2” list that is initially empty. 
Attachments that you designate as Level 2 can be 
saved but not opened or run directly from 
Outlook. When you double-click such an 
attachment in an Outlook message, Outlook 
displays a warning: 


“Click Save To Disk to proceed. 


To move file types from Level 1 to Level 2, follow 
these steps: 


1. Open Registry Editor. 


2. Navigate to 
HKCU\Software\Microsoft\Office\10. 
0\Outlook\Security. 


3. Create the string value 
LevellRemove (if it doesn’t already 
exist). 


4. Double-click the LevellRemove 
value. 


5. As data for the LevellRemove 
value, enter a series of file name 
extensions (without periods), 
separated by semicolons. 


For example, to add .bat, .com, and 
.pif files to the Level 2 list, you 


would enter the following: 


bat; con; pi E 


6. Close Registry Editor. 


7. If Outlook is running, close the 
application and restart it. 


As always, we recommend that you 
exercise extreme caution before 
editing the registry manually. An 
incorrect modification can cause 
unintended side effects, up to and 


including an inability to restart your 
system. If you're not certain that you 
know how to use Registry Editor 
safely, we urge you to steer clear of 
this powerful but potentially 
dangerous tool. 


Workarounds for the Security Update 


The protection against rogue attachments offered 
by the Outlook E-Mail Security Update 
undoubtedly makes your use of e-mail in Outlook 
safer. If you're accustomed to receiving 
executable attachments from trusted parties, 
however, the security update also brings with it a 
nontrivial amount of inconvenience. In addition to 
moving Level 1 file types to the Level 2 list as 
described in the previous section, here are three 
other ways to ameliorate the inconvenience: 


e Ask trusted senders to compress all 
attachments, using the Compressed 
Folder feature in Microsoft Windows 
XP or a compression utility such as 
WinZip (http://www. winzip.com) 


before attaching and sending the 
files. Compressed files that use the 
.zip extension are not on the 
proscribed list. 


e Forward messages with trusted 
attachments to a server-based mail 
account, such as Hotmail, that you 
can access outside Outlook. 


e Export messages with trusted 
attachments to Outlook Express. 


Outlook Express 6 (the version that ships with 
Windows XP) optionally blocks executable 
attachments. If you choose to export one or more 
quarantined items from Outlook to Outlook 
Express 6, be sure that attachment blocking is 
turned off in Outlook Express. (For more details, 
see Attachment Security in Outlook Express. ) 


Before you export messages to Outlook Express, 
create an Outlook folder to contain those 
messages (unless, of course, you intend to export 
your entire message store). Move or copy the 
messages containing the blocked attachments to 
the folder you just created. Then, in Outlook 
Express, follow these steps: 


1. Choose File, Import, Messages. 


2. In the Select Program dialog box, 
select Microsoft Outlook and then 
click Next. 


3. In the Select Folders dialog box, 
click the Selected Folders option, 
and then select the name of the 
folder that holds the messages you 
want to import. Click Next. 


4. Click Finish. 


Attachment Security Without the E-Mail 
Security Update 


If you’re using a version of Outlook that does not 
incorporate the E-Mail Security Update, Outlook 
doesn’t block potentially dangerous attachments. 
But it can warn you (and does so by default). To 
change Outlook’s behavior in this regard, choose 
Tools, Options and click the Security tab, and 
then click Attachment Security. The following 
dialog box appears: 


“It’s best to leave the warnings in place (the 
default setting in this dialog box). 


Attachment Security in Outlook Express 


Outlook Express 6 provides a blanket 
attachment-blocking mechanism comparable to 
that in Outlook 2002 or Outlook 2000 with the E- 
Mail Security Update. Previous versions of 
Outlook Express did not provide this capability. 
Although this security mechanism offers excellent 
protection against viruses and other hostile code, 
its default settings are so restrictive that you’re 
almost certain to be frustrated by its workings. If 
you’re thinking of turning on attachment blocking 
in Outlook Express, read this section carefully. 


Upgrade to Internet Explorer 6 


Because Internet Explorer 6 is 
included with Windows XP, the Outlook 
Express features described in this 
section are available to all Windows XP 
users. If you’ve chosen to stick with 
Windows 2000 and prefer to use 


Outlook Express as your e-mail client, 
we recommend that you upgrade to 
Internet Explorer 6 so that you have 
the option of enabling global 
protection against potentially harmful 
attachments. Installing Internet 
Explorer 6—a good idea in itself— 
automatically installs Outlook Express 
6. To upgrade to Internet Explorer 6, 
go to 

http://www. microsoft.com/windows/ie 
/default.asp. 


Outlook Express 6 does not implement 
attachment blocking unless you specifically 
enable this option. By default, all attachments 
arrive in your Inbox, where you can choose to 
open them directly or save them to disk. To turn 
on attachment blocking, choose Tools, Options 
and then click the Security tab. On the Security 
tab (shown in Figure 10-2), select Do Not Allow 
Attachments To Be Saved Or Opened That Could 
Potentially Be A Virus. 


“-Figure 10-2. Blocking executable 
attachments in Outlook Express 6 is not 
turned on by default. 


With attachment blocking turned on, you can 
neither read nor save attachments that Outlook 
Express 6 regards as dangerous. What’s on that 
list? In deciding which file types are potentially 
hazardous to your computer's health, Outlook 
Express uses the same list of file types that 
Internet Explorer checks when you download a 
file. This list consists of two parts: 


e A predefined, hard-coded list of file 
name extensions that are always 
considered dangerous. This list is 


composed of files that are 
traditionally considered 
“executable” (.exe, .bat, and so 
on). When attachment blocking is 
enabled, the user is always 
protected from these file types. 
Table 10-2 lists our best guess as to 
the file types that Outlook Express 
considers dangerous; although this 
table is reasonably accurate, it 
might not be complete because no 
authoritative documentation exists 
at Microsoft. 


A list of file types for which the 
Confirm Open After Download 
option has been selected. This very 
long list is far more extensive than 
the one employed by Outlook with 
the E-Mail Security Update. Under 
the default settings, Outlook 
Express 6 blocks genuinely 
suspicious attachment types, such 
as JScript/JavaScript files (.js 
extension), Control Panel 
extensions (.cpl), and Windows 
Installer packages (.msi)—any of 
which could contain harmful code. 
Unfortunately, the default settings 
also block Internet shortcuts (.url), 
compressed archives (.zip), Adobe 
Portable Document Format files 
(.pdf), and Office documents (.doc, 
.xls, and so on). Figure 10-3 shows 
what happens to a typical message 
containing a variety of file 
attachments. Only the plain text file 
(.txt) and a graphics file (.gif) 


passed through the attachment 


Table 10-2. “Dangerous” File Types, as Defined 
by Outlook Express 6 


Extension File Type 


.bas 


.bat 


.cmd 


.com 
„exe 
.Ink 
.mst 
.pcd 
. pif 


.SCf 


soci 


Microsoft Visual Basic class 
module 


Batch file 


Microsoft Windows NT 
Command Script 


MS-DOS application 

Program 

Shortcut 

Visual Test source file 

Photo CD image 

Shortcut to MS-DOS program 


Microsoft Windows Explorer 
command 


Screen saver 


“-Figure 10-3. With attachment blocking 
turned on, Outlook Express 6 is overly 


cautious, rejecting even innocuous .zip files 
and Office documents. 


If you intend to use this protective feature, 
expect to fine-tune its behavior. For instance, you 
can specify that compressed files with the .zip 
extension are perfectly safe and should always be 
allowed to pass through the attachment-blocking 
filters. To modify the list, follow this procedure: 


1. Open Windows Explorer and choose 
Tools, Folder Options. 


2. Click the File Types tab, and then 
scroll through the Registered File 
Types list until you find the 
extension for the file type you want 
to change. Select that entry in the 
list. 


3. Click the Advanced button. 


4. In the Edit File Type dialog box, 
clear the Confirm Open After 
Download check box. 


5. Click OK to close the Edit File Type 
dialog box, and then click Close in 
the Folder Options dialog box. 


Repeat this process for any other file types that 
you want to designate as safe. (Note that this 
option is not available for any file type on the 
hard-coded list of dangerous types.) Also be 
aware that changing this setting for any file type 
might affect the way it’s handled in Internet 
Explorer. 


Although Outlook Express is more restrictive than 
Outlook (at least initially) in blocking some types 
of attachments that are generally considered 


safe, it does allow you to disable this feature and 
enable access to attachments at any time. If you 
receive an e-mail message with an attachment 
that is blocked in Outlook Express, you can 
unlock access to it in either of two ways: 


Disable attachment blocking temporarily. 
From the main Outlook Express window, choose 
Tools, Options. Click the Security tab, and clear 
the Do Not Allow Attachments To Be Saved Or 
Opened That Could Potentially Be A Virus check 
box. After you’ve saved or opened the 
attachment, you can turn the safety feature back 
on again. 


Disable attachment blocking for that file 
type. Follow the steps listed previously to disable 
attachment blocking for the file type that is being 
blocked. After you make this change, reopen the 
message and the attachment will be available for 
you to open or save. Note that this option is not 
available for most executable file types. 


Keep limited users out of trouble 


Because the attachment-blocking 
setting is applied on a per-account 
basis, an administrator might want to 
turn it on for users with limited 
accounts while leaving the blocking 
feature disabled for your account and 
those of other trusted users. Enabling 
blocking prevents inexperienced users 
from inadvertently executing a virus 
or a Trojan horse program. However, 
as an administrator, you cannot 
prevent a user who is poking around 
the Outlook Express Options dialog 
box from disabling this feature. If 
you're truly concerned that another 


user will deliberately bypass your 
controls and open a dangerous 
attachment, use the more powerful 
attachment-blocking feature included 
with Outlook. 


Whether you choose to block executable 
attachments or allow them to be opened and 
saved, you should make sure that Outlook 
Express is set to warn you if an application (a 
virus, for example) attempts to send e-mail on 
your behalf. This option, enabled by the Warn Me 
When Other Applications Try To Send Mail As Me 
check box in the Options dialog box (see Figure 
10-2) is enabled by default. 


Protecting Yourself from Rogue 
HTML 


Hypertext Markup Language (HTML) is the default 
display format for messages created in both 
Outlook Express and Outlook. In either program, 
you can override this default format for outbound 
messages. That is, you can set Outlook Express 
to compose messages in plain text instead of 
HTML; and in Outlook you can choose to compose 
messages in plain text or Rich Text Format (RTF) 
if, for some reason, you don’t want to use HTML. 
But inbound messages formatted in HTML are 
always displayed in HTML, which means that 
Outlook and Outlook Express are potentially 
exposed to the same HTML threats as a Web 
browser— malicious scripts or hostile ActiveX 
controls, for example. 


Both Microsoft e-mail client programs deal with 
these hazards the same way Internet Explorer 
does—with security zones. (For information about 
Internet Explorer security zones, see Using 
Security Zones.) The use of security zones in 
Outlook and Outlook Express differs from that in 
Internet Explorer, however, in the following ways: 


e In Internet Explorer, you can 
choose from four security zones— 
Internet, Local Intranet, Trusted 
Sites, and Restricted Sites. In 
Outlook and Outlook Express, only 
the Internet and Restricted Sites 
zones are available. 


In Outlook and Outlook Express, 
ActiveX controls and scripts are 
always disabled, even if you have 


enabled them in the currently 
active security zone. (For 
information on how to run a script 
in Outlook 2002, see Activating 
Script in an Outlook 2002 
Message.) 


Outlook and Outlook Express 
always apply the current security 
zone’s settings to inbound 
messages, regardless of their 
source. 


It’s particularly important to understand the third 
point. In Internet Explorer, you can assign 
particular URLs to the Restricted Sites zone. For 
example, if you regard www.edbott.com as a 
purveyor of perilous prurience, you can add that 
site to the Restricted Sites zone and use the 
settings associated with Restricted Sites to keep 
Ed’s wares from entering your system. If you set 
Outlook or Outlook Express to use the Internet 
zone, however, a// e-mail—even messages 
originating at or passing through edbott.com—will 
be given the more relaxed settings typically 
associated with the Internet zone. In other 
words, the e-mail client doesn’t care where the 
message comes from or who it has kept company 
with along the way; it uses the same security 
zone for all inbound messages. 


Changing the Security Zone 


In Outlook 2002 and Outlook Express 6, the 
default security zone is Restricted Sites. In all 
earlier versions of both programs, the default 
zone is Internet. For effective security in earlier 
versions of these e-mail clients, you should 
switch to Restricted Sites. The procedure for 
changing the zone is essentially the same in both 
programs: 


1. Choose Tools, Options and then 
click the Security tab. 


2. In Outlook, select the zone you 
want from the Secure Content 
section of the dialog box. In 
Outlook Express, select a zone in 
the Security Zones section of the 
dialog box. 


Activating Script in an Outlook 2002 
Message 


Normally, you do not want script embedded in an 
HTML e-mail message to run within your message 
window. As a general rule, letting script run in 
this context is such a bad idea that Outlook and 
Outlook Express expressly forbid it, even if you 
have adjusted the security parameters associated 
with the Internet or Restricted Sites zone to allow 
script to run. But Outlook 2002’s message 
window does include a command that lets you 
temporarily override the scripting safeguards. 


If an Outlook 2002 message includes script that 
you’re certain is safe, you can run the script by 
choosing View, View In Internet Zone. This 
command, which appears only within the 
message window (not in the main Outlook 
window) and only when an HTML message is 
displayed, is a curiosity in several ways. 


First, it does not implement the current security 
parameters of the Internet zone. If you turn 
scripting off in the Internet zone and then choose 
View, View In Internet Zone for a scripted 
message, the script will still run. 


Moreover, when you choose View, View In 
Internet Zone, Outlook displays the warning 
shown here whether or not your message 
actually contains any script. (If your message 
really does contain script, Outlook indicates that 
fact in the status message that appears directly 
above the message header, before you choose 
the View In Internet Zone command.) 


“Finally, although its effects on the current 
message are not the same as those you would 
get by setting Outlook to use the Internet zone 


globally, the command becomes unavailable if 
you set Outlook to use the Internet zone. Hence, 
if you want to let a script run in an Outlook 2002 
message, you must first be sure that Outlook 
itself is set to use the Restricted Sites zone and 
then choose View, View In Internet Zone. 


Using Web-Based E-Mail 
Securely 


Web-based e-mail systems such as Hotmail, 
Juno, or Yahoo Mail offer you the convenience of 
being able to send and receive messages from 
any computer connected to the Internet, 
anywhere in the world. This ability is a genuine 
convenience when you’re traveling without a 
computer of your own; you can sit down at any 
computer, including those in public libraries or 
Internet cafes, and catch up with your e-mail. If 
you use one of these services on a public or 
shared computer, however, you need to take a 
few precautions that you might not consider 
necessary at home: 


e Be sure the system does not cache 
your logon credentials. 


e Be sure to sign out explicitly when 
you've finished using an e-mail 
system. 


Many Web-based e-mail systems offer you the 
option of “remembering” your user name and 
password so that you can log on with one or two 
keystrokes instead of having to type everything 
out completely. At Yahoo Mail, for example, the 
sign-in screen looks like this: 


“If you make the mistake of selecting the easy 
logon option at a computer that’s available to the 
public, the public (or at least anyone who knows 
your user name) will have easy access to your 
password and your account. 


If your mail service doesn’t offer to remember 
your logon credentials, your browser might. In 


Internet Explorer, an AutoComplete dialog box 
(or, in Netscape browsers, Password Manager) 
might appear after you submit your name and 
password. You should, of course, decline its offer. 


For more details on how to minimize 
the risks associated with the 


AutoComplete feature in Internet 
Explorer, see “Protecting_Your 
Identity.” 


When you finish using e-mail at a public 
computer, don’t simply pull up a different Web 
page or click off to some other application. You 
must sign out of the e-mail service or risk 
exposing your e-mail account to the next person 
who sits down at this computer. (In most cases, 
closing all browser windows is equivalent to 
signing out, but it’s best to get in the habit of 
signing out explicitly. ) 


Troubleshooting 
Your session expires immediately. 


Many Web-based e-mail systems use 
session cookies to track your identity 
while you’re on line. If you log on to 
an e-mail service and then find 
yourself quickly booted out, it might 
be because, on the computer where 
you're working, the browser has 
inadvertently been set to disallow 
session cookies. You can use Internet 
Explorer 6 to reinstate session 
cookies, either globally or for 
particular URLs. For details, see 
“Protecting_Your Identity.” 


Some Web-based e-mail services, such as Yahoo 
Mail (shown earlier), offer the option of logging 
on over a secure (SSL—for Secure Sockets Layer) 
connection. Take advantage of this option if it’s 
available. Doing so will keep your logon 
credentials encrypted as they’re transmitted to 
the service provider, giving you an extra measure 
of protection against potential identity thieves. 


Signing In to Hotmail 


When you log on to Hotmail using a Web browser 
(as opposed to fetching mail via Outlook 2002 or 
Outlook Express), you have a choice of three 
security options, as shown in Figure 10-4. If 
you're using a public computer, be sure to choose 
the first option, Public/Shared Computer. Logging 
on with either of the other options can leave 
messages in the Web browser’s cache, subject to 
inspection by the next person who sits down at 
this computer. 


“-Figure 10-4. Be sure to choose the 
Public/Shared Computer option when logging 
on to Hotmail at a public computer. 


You can demonstrate this vulnerability for 
yourself (do it at home) by following these steps: 


1. Log on to Hotmail using either the 
second or the third option under 
Security Options (not Public/Shared 
Computer). 


2. Use Hotmail to read and send e- 
mail. 


3. Log Off. 


4. In Internet Explorer, choose File, 
Work Offline. 


5. Open the History pane, and then 
select By Order Visited Today from 
the View list. You should see 
several Hotmail-related links (such 
as Hotmail Compose or Hotmail 
Message) near the top of the 
History pane. 


6. Click a Hotmail-related link. If the 
browser gives you the option of 
reconnecting or staying offline, 
choose to stay offline. 


Your Hotmail page should appear in plain view. 


Handling Attachments and Script 


Some Web-based e-mail services can scan 
inbound and outbound attachments for you, 
significantly reducing the chance that you'll infect 
your computer (or one in your local library or 
Internet cafe) by downloading a virus. This option 
also eliminates the possibility that you'll 
inadvertently transmit a virus by sending an e- 
mail message from an infected computer. 
Hotmail, for example, automatically scans all 
attachments, without regard to file type, using 
software provided by McAfee.com. 


“-If your inbound attachments pass, Hotmail 
lets you download them (but does not allow you 
to open them directly). 


Yahoo, in contrast to Hotmail, scans attachments 
with Norton Antivirus and offers to scan only 
executable attachments, letting the inert ones 
pass without comment. If an executable consists 
of readable text, Yahoo also gives you the option 
of viewing the text (but not running the file): 


“-Before you commit to a Web-based e-mail 
service, you should familiarize yourself with its 
behavior toward attachments—particularly if you 
expect to be using the service at public 
computers that might not have adequate 
alternative forms of virus protection. If you plan 
to use the service as a secondary e-mail account 
(one to rely on while traveling, for example, or as 
an e-mail address to give out to online merchants 
in place of the address you normally use), try 
sending attachments of various file types from 
your primary account to the prospective 
secondary one to see what happens when they 
arrive. 


If possible, you should perform the same 
experiment with a sample of benign script 
(VBScript or JavaScript or JScript). Most, but not 
all, Web-based e-mail services will refuse to run 
the script. You should avoid any service that 
allows the script to run. Some services (Yahoo, 
for example) will display your script as text in the 
message body. If you know what you're looking 
at and can vouch for its safety, you can copy the 
script elsewhere and use it. Other services, such 
as Hotmail, will do their best to hide the fact that 
a message has script. (To see the script in a 
Hotmail message, click Options, and then click 
Mail Display Settings. In the Message Headers 
section of the Options page, choose Advanced. 
Then, in the expanded header of your message, 
click View E-Mail Message Source.) 


Protecting E-Mail from Prying 
Eyes 


It’s only a slight exaggeration to say that an 
unencrypted message sent by e-mail is about as 
private as a message written on a postcard. The 
problem is that packets of data moving from one 
e-mail server to another over the Internet travel 
through an unpredictable number of 
intermediaries; because these packets contain 
plain text, anyone who has access to any server 
along the way (your Internet service provider, for 
instance) can read the contents of messages in 
transit. The task might not be quite as simple as 
turning over a postcard, but it’s not that much 
more difficult. For messages whose confidentiality 
is crucial, you can hide your communication from 
everyone but its intended recipients with the help 
of public key cryptography. 


For information about public key 


cryptography, see What Are Digital 
Certificates?. 


When you want to send someone a confidential 
message, you first obtain that person’s public 
key. (You can do this via e-mail, or you might be 
able to download the key from a key server.) You 
encrypt your message with your recipient’s public 
key before sending it, and the recipient decodes 
it with his or her private key once the message 
arrives. Anyone attempting to eavesdrop on your 
communication along the way is rewarded with 
an incomprehensible jumble of letters and 
numbers. 


Public key cryptography also allows you to add a 
digital signature to your messages. Digitally 


signing a message assures your recipient of two 
things: that the message is from you (not 
someone pretending to be you), and that it has 
not been altered en route. It does not encrypt 
your message or protect it in any way from being 
intercepted. For more information about digital 
signatures, see Ensuring the Authenticity and 
Integrity of Your Messages. 


How Private Is Your E-Mail? 


The Electronic Communication Privacy 
Act (ECPA) of 1986 makes it illegal in 
the United States for third parties to 
intercept and read your e-mail. (Other 
countries might have laws that are 
more or less restrictive.) The amount 
of protection this law actually gives 
you is limited by enforcement 
difficulties and is subject to the 
following exceptions: 


e E-mail sent to any kind 
of public forum (such as 
a newsgroup or bulletin 
board service) is not 
private. 


e The privacy of a 
message is forfeited if 
you or any recipient of 
the message consents to 
making the message 
public. 


e An employer can legally 
read any message sent 
or received through the 
employer’s computer 
system. 


e An Internet service 
provider (ISP) can 
legally read your e-mail, 
including unretrieved 
messages in your 
mailbox and messages 
you’ve recently sent or 
received. 


You should also be aware that an ISP 
is entitled to make backup copies of 
your messages before they’re deleted 
from the ISP’s server. Law 
enforcement agencies can access 
these stored records with a legally 
obtained search warrant or subpoena. 


Obtaining a Public Key/Private Key Pair 


Many popular e-mail clients, including Outlook, 
Outlook Express, and Netscape Messenger, 
provide encryption and signing capabilities by 
supporting a standardized secure message format 
called Secure/Multipurpose Internet Mail 
Extensions (S/MIME). To encrypt messages using 
S/MIME, you must first obtain a digital certificate 
—sometimes also called a digital ID. A digital 
certificate is to electronic communications what a 
driver’s license or passport is to face-to-face 
transactions. It attests to your identity in a 
secure fashion. 


For information about acquiring and 
managing digital certificates, see 


Chapter 4, “Installing and Using 
Digital Certificates.” 


Password-protect your private key 


When you apply to a certification 
authority (CA) for a certificate, you 
might be given the option to seta 
security level for your private key. (In 
the VeriSign forms, for example, this 
option appears under the heading 
“Additional Security for Your Private 
Key.” If you accept, Windows presents 
a dialog box giving you the choice of 
High, Medium, or Low security. If you 
select High, you are prompted for a 
password every time an application 
uses your private key (when you send 
a digitally signed message or decrypt 
an incoming message, for example). If 
you select Medium, you are prompted 


for permission when an application 
requests your key, but you do not 
need to supply a password. If you 
select Low, an application can use 
your private key without obtaining 
your explicit consent. Although it 
might be inconvenient to supply a 
password every time your key is used, 
selecting High is the best way to 
ensure that your private key remains 
under your exclusive control. If you 
select Medium or Low (or bypass this 
process altogether), your private key 
is secured only by your user account 
password, which means that it is 
accessible to administrators and to 
anyone with physical access to your 
computer if you step away without 
logging out. 


Once you have obtained and installed your own 
certificate, you’re in a position to add digital 
signatures to your messages. You can also 
receive encrypted messages from others. To send 
encrypted messages to someone else, you need 
to acquire that person’s public key, as described 
in the following section. 


Using S/MIME to Send Encrypted 
Messages 


To send an encrypted message, you must have 
your recipient’s public key, which is a component 
of the recipient’s digital certificate. You can add 
that certificate to your certificate store by 
receiving a digitally signed e-mail message from 
your correspondent. When you receive the signed 
message, you need to install the attached 
certificate in your certificate store. To do this in 
either Outlook or Outlook Express, right-click the 
sender’s name in the message window and then 
choose either Add To Contacts or Add To Address 
Book. If you already have a Contacts item or an 
Address Book record for the sender, a prompt will 
ask whether you want to update the existing 
record. Click Yes. 


To confirm that you’ve successfully added your 
correspondent’s certificate to your certificate 
store, open his or her Contacts item or Address 
Book record. On the Certificates tab (in Outlook) 
or the Digital IDs tab (in Outlook Express), you 
should find an entry for the person’s certificate, 
as shown in Figure 10-5. To inspect the 
certificate, select it and click Properties. If more 
than one certificate has been installed for this 
correspondent, the one marked Default will be 
used for outbound encrypted messages. If you 
need to change the default, select the certificate 
you want to use and click Set As Default. 


“-Figure 10-5. You can confirm a successful 
installation of someone’s certificate by 
opening his or her Contacts item or Address 
Book record. 


If asking your correspondent to send you a 
digitally signed message is not convenient, and if 
you know which CA issued that person’s 
certificate, you might be able to download and 
install the certificate from the CA’s Web site. 
VeriSign and GlobalSign, for example, maintain 
directories at 

https://digitalid. verisign.com/services/client/inde 
x.html and http://secure.globalsign.net, 
respectively. 


After you have your recipient’s public key, you 
can encrypt a message to that person. In Outlook 
2000, do the following: 


1. Begin creating a new message in 
the normal way. In the message 
window, click the Options button on 
the toolbar (not the Tools, Options 
command that is available if you 
use Word as your e-mail editor). 


2. In the Message Options dialog box, 
select Encrypt Message Contents 
And Attachments. 


If you are using Outlook 2002, follow these 
steps: 


1. Begin creating a new message in 
the normal way. In the message 
window, click the Options button on 
the toolbar (not the Tools, Options 
command that is available if you 
use Word as your e-mail editor). 


2. In the Security section of the 
Message Options dialog box, click 
Security Settings. 


3. In the Security Properties dialog 
box, select Encrypt Message 
Contents And Attachments. 


In Outlook Express version 5 or 6, do the 
following: 


1. Begin creating a message in the 
normal way. 


2. In the message window, click 
Encrypt (on the toolbar) or choose 
Tools, Encrypt. 


Encrypting All Outbound Messages 


To encrypt every message you send in either 
Outlook or Outlook Express, choose Tools, 
Options. On the Security tab, select Encrypt 
Contents And Attachments For Outgoing 
Messages. 


If you try to send an encrypted message to 
someone whose public key you do not have, 
Outlook warns you as follows: 


“If your message is addressed to multiple 
correspondents, clicking Continue will send the 
message in encrypted form to all recipients. Only 
those recipients for whom you have a certificate 
will be able to read the message; all others will 
be unable to read the message text. 


Encrypting all message content 
imposes a burden on anyone who 
receives a message from you. In some 
scenarios, in fact, the recipient might 
be unable to read messages you send. 
This can happen, for example, if the 
recipient uses Outlook on two 
computers—a desktop computer and a 


notebook, for instance—and keeps 
synchronized copies of the Outlook 
message store on each computer. If 
the recipient’s certificate is saved only 
on the desktop computer, he or she 
will be temporarily unable to open the 
encrypted message on the notebook 
(and it’s difficult to download a 
certificate when you're working on a 
notebook that isn’t connected to the 
Internet). For the overwhelming 
majority of people, e-mail encryption 
is best performed on a message-by- 
message basis. 


Reading Encrypted Messages 


Outlook and Outlook Express identify encrypted 
messages by displaying an envelope icon with a 
blue padlock. For your protection, the message 
text does not appear in the preview pane in 
either program. When you open an encrypted 
message, your e-mail client retrieves your private 
key—after getting your permission or password, if 
you have protected your private key (see 
Password-protect your private key)—and decodes 
the message. While you’re reading, you can click 
the lock icon in the upper right corner of the 
message window to inspect the certificate that 
was used to encrypt the message. 


An unauthorized person who tries to read an 
encrypted message will see an error message 
similar to the following (from Outlook Express): 


“If you export an encrypted message, the 
message retains its encryption. If you forward an 
encrypted message, Outlook and Outlook Express 
assume that you want to encrypt the forwarded 


copy; you must, of course, have each new 
recipient’s public key to accomplish this. 


Ensuring the Authenticity and Integrity 
of Your Messages 


As we mentioned at the start of this chapter, one 
of the hazards inherent in the use of e-mail is the 
possibility that someone might impersonate you— 
that is, send messages that appear to come from 
you. Making an e-mail message appear to come 
from someone other than its true sender is 
ridiculously easy. All you have to do is change the 
name and e-mail address that appear in the User 
Information section of the sending account’s 
Properties dialog box. When your recipient opens 
your message, the information you entered is 
displayed in the From field. 


That simple trick might fool a novice computer 
user, but anyone who knows how to view the full 
message header can usually spot a forged From 
address . (For details on interpreting a full 
message header, see How to Decode an E-Mail 
Header.) Nevertheless, if someone chooses to 
embarrass you by sending a message that 
appears to originate under your name, you’re 
powerless to prevent it, and some damage could 
well be done if a recipient does not recognize the 
hoax. 


You can’t eliminate this hazard. What you can do 
is use a digital signature to certify that what you 
send really does come from you. If you suspect 
that someone is abusing your good name, you 
can even adopt the practice of digitally signing all 
your messages. 


A digital signature also ensures the recipient that 
your message has not been altered in any way. 
Consultants and software or hardware vendors 
often sign their e-mail notifications of security 


vulnerabilities and updates; this precaution 
prevents a third party from counterfeiting a 
message and fooling a recipient into downloading 
a patch that contains a virus or a Trojan horse 
program. Microsoft Security Bulletins, for 
instance, are always digitally signed using a PGP 
key (described later in this chapter). 


When you add a digital signature to a message, 
your e-mail client program begins by applying a 
one-way hash function to your message. The 
hash function creates a message digest—a unique 
string of characters that is derived from the exact 
text of your message but that cannot be 
converted back into your text. (For that reason, 
hash functions are used only for authentication, 
not for encryption.) Usually, the message digest 
is much shorter than the message from which it 
is derived. 


The message digest is then encrypted with your 
private key and attached (along with your 
certificate) to your message. If you, the sender, 
are not who you say you are, the signing process 
will fail at this point, and you will see something 
comparable to the following: 


“The recipient’s e-mail program applies the 
same hash function to the received message text 
and then decrypts the message digest, using your 
public key (supplied as part of your certificate). If 
the message has been altered in any way, the 
recipient’s hash function will not produce the 
same message digest as the sender’s, and the 
recipient will see an error message similar to the 
one shown here. 


“Signing All Outbound Messages 


To digitally sign every message you send in either 
Outlook Express or Outlook, choose Tools, 
Options. On the Security tab, select Digitally Sign 
All Outgoing Messages (in Outlook Express) or 
Add Digital Signature To Outgoing Messages (in 
Outlook). 


Using PGP for Signing and Encrypting 


As an alternative to the S/MIME procedures 
described in the foregoing paragraphs, you might 
be able to encrypt and sign messages using 
Pretty Good Privacy (PGP). PGP was the original 
standard for communications secured by public 
key cryptography—and some regard it still as the 
gold standard. Released in 1991 as freeware by 
its creator, Phil Zimmermann, PGP is still 
available for free, provided it is used for 
noncommercial purposes. Unfortunately, enabling 
PGP protection on a computer running Windows 
XP is problematical at best. The PGP technology 
is now owned by Network Associates, which 
discontinued development, marketing, and sales 
of all versions of PGP (commercial and freeware) 
in February 2002. 


As of May 2002, no versions of PGP, free or 
commercial, are certified to be compatible with 
Windows XP, and, in fact, trying to install PGP on 
a computer running Windows XP can cause a host 
of problems. If you use Windows 2000, you can 
download compatible freeware versions of PGP 
from the following sites. Note that any of these 
sites can restrict your ability to download specific 
versions of the PGP software from locations 
outside the United States and that the freeware 
versions are authorized only for personal, 
noncommercial use: 


e http://www.pgp.com/products/free 
ware/ 


e http://web. mit.edu/network/pgp.ht 


ml 


e http://www. pgpi.org/products/pgp/ 
versions/freeware/ 


PGP and Windows XP 


Although PGP is not certified to be 
compatible with Windows XP, various 
PGP users have reported, on public 
newsgroups and elsewhere, that the 
most recent freeware version (7.0.3) 
does work with Windows XP, provided 
that you do not install two 
components of the product: PGPNet 
and PGPFire. We tried installing 
version 7.0.3 without these 
components, and—so far, at any rate— 
all is well. If you try this yourself, 
heed the advice to steer clear of the 
PGPNet component, which is 
practically guaranteed to scramble 
your networking setup. And be sure to 
create a restore point before you 
begin the installation. If you make a 
mistake and destabilize your system, 
you will need to use System Restore 
to recover. (Simply uninstalling PGP 
will not get you back to square one.) 


A great many Web sites and 
newsgroups can help you stay abreast 
of ongoing developments in the PGP 
world. We recommend, in particular, 
the Questions & Answers section of 
Tom McCune’s PGP Page 
(http://www.mccune.cc/PGP.htm) and 
the newsgroups 
comp.security.pgp.discuss, 
alt.security.pgp, and 
ity.pgp.resources. 


PGP includes plug-ins for popular e-mail client 
programs, including Outlook and Outlook 
Express. If you use the PGP plug-in with Outlook, 
you should disable Word as your e-mail editor 
(choose Tools, Options; click the Mail Format tab; 
and then clear Use Microsoft Word To Edit E-Mail 
Messages) because the plug-in does not attach to 
Word. 


With or without a plug-in, the PGPtray component 
of PGP adds a padlock icon to your system tray. 
Clicking this icon opens a menu of PGP-related 
tasks: 


“YOu can use the Current Window submenu to 
encrypt, sign, decrypt, and verify (authenticate) 
the contents of an e-mail message window. 


Because PGP is not based on the S/MIME 
protocol, it does not require the use of 
certification authorities. PGP digital signatures are 
appended to e-mail messages as blocks of plain 
text. You can create as many public key/private 
key pairs as you want, without using certificates. 
(You can distribute your public keys by copying 
them into an e-mail message, posting them ona 
personal or corporate Web site, attaching them 
as files to messages, or directing correspondents 
to Network Associates’ key server.) Your recipient 
must also be a PGP user. 


If you want encrypted or signed communications 
but you’re not comfortable providing information 
about yourself to a CA, PGP might be the way to 
go. (PrivacyX, discussed in the next section, is 
another alternative.) PGP also offers the ability to 
encrypt disk files, and it includes a “wipe” utility 
that erases files irretrievably. 


PGP and Microsoft Security 
Bulletins 


Microsoft signs its own security e-mail 
bulletins with PGP, ostensibly to assure 
recipients that the bulletins are 
authentic. Curiously, the Washington 
Post's Newsbytes division 
(http://www.newsbytes.com/news/01/ 
168397.html) has reported that many 
of these security bulletin signatures 
have proved to be invalid. What’s 
going on here? 


The Microsoft team that produces 
security bulletins uses a proprietary 
software tool, built with Collaboration 
Database Objects (CDO), to generate 
the bulletins it sends to its many 
subscribers. The architects integrated 
Microsoft’s PGP signature into the 
works of the tool. Unfortunately, this 
tactic apparently doesn’t produce 
accurate results. If you use PGP to 
validate a Microsoft Security Bulletin 
using its PGP signature, you're likely 
to find that the signature doesn’t pass 
muster. 


Should you be alarmed? No. If you 
visit Microsoft’s Security Web site 
(http://www. microsoft.com/security), 
you can read the authoritative 
archived version of every security 
bulletin. Our advice is to think of the 
e-mail version of each bulletin as a 
pointer to that Web site. If the PGP 
test fails, you can rely on the 
information posted on the Web. 


Other Third-Party Encryption Tools 


A growing number of vendors offer services and 
plug-ins that provide e-mail encryption, digital 
authentication and time-stamping, certified 
receipts, and other useful security features. Some 
services require both recipient and sender to 
subscribe; others do not. Some are free; others 
are inexpensive—at the personal level, at least. 
All relieve you of the need to acquire and manage 
certificates. 


The following list is not exhaustive, but it will give 
you a sampling of what’s available. 


CertifiedMail.com 


CertifiedMail.com (http://www. certifiedmail.com) 
uses SSL for encryption. The company stores 
your outbound messages on its server, notifying 
recipients by ordinary email. Recipients, who do 
not have to be subscribers, connect to the server 
via SSL and enter a password (if you’ve chosen to 
assign one) to pick up the mail. Senders receive 
time-stamped confirmation of delivery. 


Plug-ins are available for Outlook, Outlook 
Express, and Lotus Notes. Subscribers with one 
of these plug-ins can send “certified” e-mail by 
clicking a toolbar button. Alternatively, any 
subscriber can use the service’s Web site to 
compose and send. 


CertifiedMail.com offers various levels of service. 
A personal account, free for 30 days, provides 2 
MB of storage, with messages expiring in five 
days. A “silver” account ($5 per month) increases 
storage to 25 MB, extends the expiration period 
to 14 days, and includes an online address book. 


With a “gold” account ($10 per month), you get 
100 MB, a two-year expiration period, wireless 
support, and the ability to retract messages 
before they’re claimed. 


HushMall 
HushMail (http://www.hushmail.com) is a free 


service that works like a Web-based e-mail 
account with encryption. You can log on to your 
HushMail account from any Web browser and 
send encrypted or signed messages to any other 
HushMail subscriber. The system is based on the 
OpenPGP standard. 


HushMail’s principal disadvantage is that both 
sender and receiver must be HushMail 
subscribers. (You can use HushMail to send 
unencrypted mail to nonsubscribers, however.) It 
has two potential advantages over PGP: You can 
access your account from anywhere, and 
HushMail manages your keys. 


PrivacyX 


PrivacyX (http://www. privacyx.com) combines 
encryption with anonymity. The service provides 
you with an e-mail account and a digital 
certificate that carries no information about you. 
Messages sent via your PrivacyX account—with or 
without encryption or signature—are stripped of 
identifying information, so that your recipient has 
no way of knowing who the sender is. Because 
PrivacyX uses standard S/MIME certificates 
(albeit anonymous ones), you can use its security 
features with anyone who also has an S/MIME e- 
mail program; that is, your correspondents do 
not need to be PrivacyX subscribers. 


To prevent you from using PrivacyX for spam, the 
service limits messages to twenty recipients; 
attachments are limited to 1 megabyte. 


PrivacyX costs $29.95 per year. A 30-day free 
trial is available. 


Sigaba Secure Email 


Named for the American World War II encryption 
machine, the only such device that remained 
unbroken throughout the war, Sigaba 
(http://www.sigaba.com) provides encryption 
between corporate e-mail gateways, running the 
key management and authentication services. 
The free SigabaSecure service allows desktop-to- 
desktop encryption of messages and attachments 
using either a Web interface or standard e-mail 
client software. (Plug-ins are available for 
Outlook, Outlook Express, Lotus Notes, Eudora, 
and Novell GroupWise as well as for Hotmail and 
Yahoo Mail.) SigabaSecure uses symmetric keys, 
rather than public and private keys, and assigns 
keys to messages, not to users. For desktop-to- 
desktop encryption, both sender and receiver 
must be registered with the service. 


ZixMail 


ZixMail (http://www. zixit.com) lets you exchange 
encrypted and signed mail with fellow subscribers 
and nonsubscribers alike. Subscribers receive 
ZixMail as attachments. Nonsubscribers receive 
notification that a secure message awaits them 
on Zixit’s servers. Connection between the 
nonsubscriber and Zixit is secured by SSL, and 
recipients are required to create a password the 
first time they pick up their mail. 


Senders can request a pickup receipt for any 
message; the receipt includes a digitally signed 
GMT time stamp. Messages remain on Zixit’s 
servers for two weeks by default. (You can 
extend the period to three weeks.) If a message 
is not retrieved by its expiration date, the service 
notifies the sender. 


ZixMail includes plug-ins for Outlook and Lotus 
Notes (but not for Outlook Express). In these 
programs, you can click a toolbar button to send 
e-mail via ZixMail or read incoming Zixmail 
messages. (In Outlook, you can’t use Word as 
your e-mail editor, however.) If you’re using a 
program that doesn’t have a ZixMail plug-in, you 
use Zixit’s attractively designed mail client and 
address book instead. 


Individual subscriptions are $35 per year; a 30- 
day free trial is available. 


Chapter 11 


Blocking Spam 


Sooner or later, everyone who uses electronic 
mail begins receiving unsolicited commercial e- 
mail, often referred to as UCE or simply spam. 
Spam is a scourge, because e-mail is incredibly 
inexpensive, and unscrupulous senders can blast 
it out by the millions of messages. As a result, 
junk e-mail can proliferate at a rate much faster 
than junk mail delivered by the postal service. 


Make no mistake about it: Spam represents a 
threat to your computer's security. Unchecked, 
spam can literally overwhelm legitimate 
messages, making it impossible for you to find 
important mail from business associates, friends, 
and family. Spam is a haven for scams, frauds, 
deceptive marketing practices, illegal chain 
letters, and extremely offensive, graphic 
pornography. A small but statistically significant 
number of spam messages include viruses, Trojan 
horses, and other hostile code, or use enticing 
and misleading language to trick you into clicking 
on Web sites that can be dangerous to your 
computer. Porn sites in particular are notorious 
for their attempts to hijack your browser’s home 
page or to fool you into downloading hostile 
ActiveX controls or installing “dialer” programs 
that silently rack up charges of several dollars a 
minute for their sleazy content. 


And by any objective measure the problem with 
spam is getting worse. Brightmail, a company 
that specializes in detecting spam and blocking it 
from corporate servers, estimates that the 
Internet was plagued by more than 162 million 
individual spam attacks in 2001. Because each 
barrage might consist of hundreds or even 


thousands of individually addressed e-mail 
messages, the total number of spam messages 
almost certainly numbers in the billions. 
Sometimes it feels like every one landed in our 
inbox. 


Unfortunately, spammers are a case study in the 
survival of the fittest. For every countermeasure 
that spam-fighters develop, spammers figure out 
a workaround. That’s why effectively battling 
spam requires constant vigilance and a 
willingness to outfox spammers. The good news? 
You already have all the tools you need. In this 
chapter, we'll show you how to detect spam, how 
to filter it out of your inbox, and how to fight 
back against spammers. 


Security Checklist: Fighting Spam 


Want to take charge of unwanted e- 
mail? Use this checklist to identify 
steps you can take. Some items might 
not be appropriate for your system 
configuration or e-mail client software; 
review the information in this chapter 
before you forge ahead. 


e Choose an e-mail 
program with robust 
filtering features. 


e Set up message rules to 
sort and filter incoming 
e-mail. 


e Set up at least one 
alternate e-mail address 
for use with untrusted 
recipients. 


e If you run a mail server, 
install spam-blocking 
software at the gateway. 


e Learn how to decode a 
message header. 


What Is Spam? 


The first challenge in dealing with spam is 
defining it. Being able to distinguish different 
types of electronic mail is the crucial first step in 
devising your strategy. Sorting incoming e-mail 
messages into categories forms the basis of 
virtually all filtering schemes. Done right, this 
winnowing process not only helps you identify 
unwanted bulk mail; it also helps you avoid false 
positives, in which a legitimate e-mail message is 
accidentally classified as spam and tossed or 
ignored. 


In the broadest of terms, all e-mail messages you 
receive can be sorted into one of the following six 
categories: 


e Personal messages addressed 
directly to you. E-mail from 
friends, relatives, and business 
associates falls into this category. 
Ideally, every message in this 
category should land in your inbox. 
Some spam-blocking software can 
mistakenly trap legitimate 
messages that contain words or 
phrases commonly found in spam 
messages. 


Personal messages copied to 
you. This category consists of 
messages addressed to another 
person, with your address included 
on the Cc (courtesy copy) or Bcc 
(blind courtesy copy) line. 
Mechanical filtering systems often 


mistakenly identify blind copies as 
spam. 


Messages sent to a mailing list 
of which you are a member. The 
software that runs most mailing list 
servers is designed to protect the 
privacy of individual recipients by 
hiding their names and e-mail 
addresses behind a single e-mail 
address called a /ist alias. 
Subscribers to the list send a 
message to other users by 
addressing it to the alias, with the 
list server determining whether the 
message should be forwarded or 
rejected. Messages from mailing 
lists are frequently misidentified as 
spam because they are usually not 
addressed directly to the recipient. 


Commercial messages you 
requested or authorized. Many 
businesses and organizations use e- 
mail to maintain contact with their 
customers. Typically, you sign up 
for these messages by registering 
at the company’s Web site, often 
when you set up an online account. 
The character of these commercial 
messages can vary widely. Software 
companies and developers often 
send important support bulletins or 
update notices to all registered 
users, for instance. An online 
business might send notices of 
special prices or new products to all 
their customers; the same company 
might also send individual e-mail 


messages to confirm purchases or 
shipping details. Sorting this type of 
mail is the most difficult challenge 
for any spam-fighting program. 


Unsolicited commercial e-mail 
sent from a known company or 
organization. Some businesses 
and marketing organizations insist 
on using e-mail as a marketing 
tool, blasting advertisements to 
prospective customers who haven’t 
specifically requested such 
information. This category is the 
digital equivalent of the junk mail 
that clutters up your mailbox. 
Because it’s unsolicited, it qualifies 
as spam. Many of these 
overaggressive senders offer you 
the option of having your name 
removed from their mailing lists; 
those messages that don’t include a 
usable removal option are relatively 
easy to filter out. 


If you see a “remove me 
from your list” link 
within a spam message, 
don’t click it until you 
determine who really 
sent the message. 
Legitimate businesses 
and marketing 
companies provide 
clearly labeled options 
that allow recipients to 
“opt out” of future 
mailings either by 
clicking a link on a Web 


site or sending a 
message to an e-mail 
address. But if the 
original message 
includes counterfeit 
headers and was sent 
through a hijacked mail 
server, the link in the 
message might be 
nothing more than 
window dressing 
intended to make the 
message look legitimate. 
If you’re lucky, your 
request will go nowhere 
should you click such a 
link. But some shady 
companies that compile 
lists of e-mail addresses 
use these phony links to 
confirm that your e-mail 
address is valid. By 
responding to spam, you 
practically guarantee 
that you'll receive more 


spam. 


e Unsolicited bulk e-mail from an 
unknown or anonymous source. 
This category consists of messages 
sent using bulk-mail software 
designed to disguise the identity of 
the sender. This category includes 
the overwhelming majority of 
scams, chain letters, and come-ons 
for adult sites that make up the 
most vexing spam. Blocking this 
category of spam is an ongoing 
battle because developers of bulk- 


mail software regularly incorporate 
tricks designed to fool spam filters. 


Sneaky Spammers’ Secrets 


When spammers unleash a flood of e-mail 
messages onto the Internet, they use a variety of 
tricks to hide their true identity. Their goal is to 
find suckers who will take the bait and call, click, 
or e-mail for the (usually bogus) offering; 
disguising the source of the message makes it 
difficult for outraged recipients to complain. Here 
are the common tools of the spammer’s trade: 


e Hijacked mail servers. Virtually 
all bulk-mail programs do their dirty 
work by exploiting open e-mail 
relays—mail servers that are 
misconfigured to allow users from 
outside the local network to send e- 
mail without being authenticated. A 
spammer who finds an open relay 
can pump thousands of messages 
through that server in a very short 
time, often without being detected, 
forging the message headers 
(information that documents a 
message’s travels over the 
Internet) so that their true origin is 
virtually impossible to trace. 
Unfortunately, the supply of wide- 
open e-mail servers on the Internet 
is enormous and growing every 
day, and finding open relays is 
trivially easy. In the next section, 
we explain how you can decode a 
message header and spot a 
message that has been sent 
through a hijacked mail server. 


e Bogus addresses. The From 
address on a spam message sent 
through an open relay is nearly 
always counterfeit. The To address 
is often faked as well. In fact, some 
bulk-mail software is clever enough 
to pick up the recipient’s e-mail 
address and use it as the From 
address, resulting in a message 
that looks as if you sent it to 
yourself! 


e Misleading subject lines. Many of 
the sleaziest spam attacks include 
innocuous or personalized subject 
lines. Porn peddlers in particular 
like to use innocent subject lines 
such as “Did you get my message?” 
or “Info you requested.” The 
purpose, of course, is to slide past 
filtering software that looks for 
trigger words in the subject line. 


e Obfuscated URLs and scrambled 
sites. Spammers trying to sell 
worthless products often include a 
link to a “throwaway” Web page on 
a free service, which in turn 
redirects users to the real site. The 
throwaway page is usually taken 
down within hours or days, but not 
before at least a few suckers have 
been taken in. Determined 
spammers can make it 
extraordinarily difficult to determine 
the actual destination page by 
composing pages in JavaScript and 
using URLs that have been 


obfuscated using a variety of 
techniques. 


Decode sneaky spam messages 


If you’re interested in learning more 
about the techniques spammers use to 
obfuscate URLs and disguise pages, 
read the news.admin.net-abuse.email 
FAQ at 
http://www.spamfag.net/spamfighting 
shtml. Section 1.3.1, “Spammer 
Tricks,” is exceptionally well written 
and informative. An article by Keith 
Little entitled “How to Obscure Any 
URL” (http://www. pc- 
help.org/obscure.htm) goes into 
tremendous detail as well. For a suite 
of tools you can use to de-obfuscate 
misleading URLs, go to 
http://www.swishweb.com/dec.htm. 


How to Decode an E-Mail Header 


Distinguishing legitimate e-mail messages from 
spam can be a daunting task. Opening or 
previewing a message doesn’t give you enough 
information to make an intelligent judgment. The 
message shown in Figure 11-1, for instance, 
displays many of the warning signs of spam, but 
it could also be legitimate. The trouble is, all 
visible indications shown in a message window 
can be counterfeited with ease. 


“-Figure 11-1. Is this message legitimate? 
You cant tell just by looking. 


Why does it matter whether a message is 
legitimate? When senders honestly disclose the 
source of a message, you can contact those 
senders to demand that you be taken off the 
mailing list. If they ignore your request, you can 
filter out any further messages with the senders’ 
address, and you can send a meaningful 
complaint to the company, to industry groups, 
and to consumer protection agencies. By 
contrast, when a spammer hides the origin of a 
message by forging addresses and relaying the 
mail through hijacked servers, filters using the 
message headers are ineffectual and filing a 
complaint is much more difficult; in these cases, 
your goal is to set up a filter that detects similar 
messages by using criteria other than the 
sender’s address. This way you can prevent those 
messages from landing in your inbox again. 


To determine whether a message came from a 
legitimate source, you need to check the 
message headers. Although many parts of a 
message header can be forged, the crucial details 
that show which mail server a message passed 


through just before reaching your mailbox are 
usually accurate. Every e-mail client program 
uses a Slightly different technique to reveal the 
full message headers. 


Viewing Message Headers in Outlook 
Express 


In Microsoft Outlook Express, follow these steps: 


1. Double-click the message to open it 
in its own window. 


2. Choose File, Properties (or press 
Alt+Enter) to open the Properties 
dialog box for the message. 


3. Click the Details tab to see the full 
headers for the message. (You 
might need to scroll left or right to 
read details that are too wide to fit 
in the window.) 


4°°To copy the header text to the 
Clipboard, right-click any portion of 
the Details window and choose 
Select All; then right-click again 
and choose Copy. This allows you to 
paste the full header into an e-mail 
message (to complain to a 
spammer’s Internet service 
provider, for instance) or another 
window, such as a browser-based 
tool for tracking down the true 
location of an IP address. 


Viewing Message Headers in Outlook 


If you use Microsoft Outlook 2000 or Outlook 
2002 (which is part of Microsoft Office XP), follow 
these steps: 


1. Double-click the message to open it 
in its own window. 


2. Choose View, Options to open the 
Message Options dialog box for the 
message. 


3. Scroll through the Internet Headers 
box to see the full headers for the 
message. 


4°°To copy the header text to the 
Clipboard, right-click any portion of 
the Internet Headers box and 
choose Select All; then right-click 
again and choose Copy. You can 
then paste the full header into an 
e-mail message or another window. 


Viewing Headers in Other E-Mail 
Programs 


If you use a different e-mail program, you'll need 
to search that program’s documentation for 
instructions on how to read the full headers for a 
message. In Netscape Messenger, for instance, 
you can choose View, Headers, All to see a 
complete display of message headers in the 
preview pane and in each message window. In 
Eudora for Windows, open the message and click 
the cleverly named Blah Blah Blah button. If 
you're using your Web browser to view messages 
sent to your Hotmail or MSN account, choose 
Options from the main Hotmail screen, click Mail 
Display Settings, and choose Full or Advanced 


instead of the default Basic setting for the 
Message Headers option. 


Reading a Message Header 


The most important pieces of information in an 
Internet message header appear near the top, in 
a block starting with the word Received. The 
individual entries in these headers are 
automatically inserted by each Mail Transport 
Agent (MTA) that handles the message. Although 
the sender can attempt to forge a portion of this 
header, most mail servers add enough 
information for you to identify the chain of 
servers through which the message passed. The 
entry at the top of the list shows the final transfer 
and should include the name of your mail server. 
One entry in the Received block should show the 
IP address of the sender, although a crafty 
spammer could try to disguise some of this 
information. Figure 11-2 shows a sample of what 
the header from a spam message might look like. 
(Although this example comes from a real 
message, the details have been changed to 
protect the guilty.) 


“-Figure 11-2. Jn this message header, only 
the block with “Received” details contains 
any useful information. Everything else is 
forged. 


1. The Return-Path header is forged. 
Spammers often use bogus 
addresses from free e-mail services 
such as Hotmail or Yahoo. Anyone 
who tries to complain by hitting the 
Reply button will find that their 
message goes to a nonexistent 


address (or one that has been shut 
down by the e-mail provider). 


. This entry in the Received block 
shows the name and other 
identifying information for the 
recipient’s mail server (in this case, 
mail.example.com) and the name 
of the server that last handled the 
message. That server’s name might 
or might not be accurate, but the 
MTA has inserted the correct IP 
address for the server in brackets. 
Tracing that IP address can quickly 
tell you whether the server name is 
accurate. 


. This entry in the Received block 
shows the origin of the message. 
Although the spammer has tried to 
disguise the name of the sending 
computer, the MTA has helpfully 
inserted its actual name and IP 
address in parentheses. Judging by 
the name, it’s probably safe to 
assume that this sender was using 
a dialup account to connect to the 
mail server. By checking the 
message ID and the time stamps, 
the Internet service provider might 
be able to identify the customer 
who sent this message. 


Note that the server name at the 
end of this line is the same as the 
one at the beginning of the 
preceding line. Clever spammers 
can add fake Received lines to this 
list to cover their tracks, and some 
corporate firewalls or internal mail 


gateways might add additional 
gateways. The easiest means by 
which to spot a fake Received line is 
to match the receiving server at the 
end of one line with the sending 
server at the beginning of the line 
above it. If you can’t see evidence 
of the message being handed from 
one server to another, you should 
be suspicious of that Received 
entry. 


Some bulk mail 
programs include their 
own Simple Mail 
Transport Protocol 
(SMTP) servers, which 
run directly from the 
spammer’s desktop. In 
this configuration, the 
Received header will 
typically point to the 
computer running that 
software. Another 
common trick is to 
hijack a Web site that 
contains a form intended 
for users to enter 
feedback or comments; 
if the form is powered 
by an older version of 
the popular FormMail 
CGI script, the spammer 
can take over the Web 
server and use it to 
pump out spam—usually 
a very short message 
containing a link toa 
Web site. If you see a 


message that begins by 
announcing that it’s the 
result of your feedback 
form, this is the 
robable source. 


4. This header is a unique message ID 
tacked on by the original MTA. It 
could be useful if you ever need to 
trace the message through 
succeeding servers. 


5. Everything below this point can 
easily be forged. 


Decipher message headers with 
ease 


If the thought of manually decoding a 
message header gives you a 
headache, you can take your choice of 
several automated tools. 
SamSpade.org (http://samspade.org) 
has an amazingly complete set of 
online tools; you can also download 
the free Sam Spade for Windows 
network query tool from 
http://samspade.org/ssw/. If you’ve 
successfully decoded the header and 
now want to look up IP addresses, try 
the UXN Spam Combat page at 
http://combat.uxn.com, or the 
extremely thorough Elephants’ Toolbox 
at Cotse.com 


(http://www.cotse.com/iptools.htm!). 


Don’t let message headers overwhelm you. Your 
goal in looking through the headers is to 
determine whether the sender is being honest 


about the source of the message. If you can 
match the domain of the return address with that 
of the server that sent the message, you can 
probably assume that the sender is legitimate. If 
you're receiving a flood of mail from that 
address, use a filter to block it, as described later 
in this chapter. 


Basic Spam-Blocking 
Techniques 


When it comes to blocking spam, we have good 
news and bad news. The good news is that you 
can indeed devise a strategy to drastically reduce 
the amount of spam that lands in your inbox. The 
bad news is that devising an effective spam- 
blocking strategy requires a fair amount of up- 
front effort and ongoing maintenance; there is no 
simple solution that will block spam with a few 
easy clicks. 


Following the six rules listed here should help you 
put together an effective anti-spam regimen: 


Rule #1: Guard your e-mail address 
carefully. Spammers compile mailing lists using 
a variety of sources. You can increase your odds 
of staying out of spam databases by not giving 
out your address to any untrusted person. 
Unfortunately, no matter how vigilant you are, 
every e-mail address begins to attract at least 
some spam eventually, especially if your user 
name is a common one (like Ed or Carl). That’s 
because determined spammers use dictionary- 
based attacks to send mail to every likely address 
at every domain they can find; if they don’t geta 
bounce message for a given address (like 
ed@example.com), they add it to their list. Also, 
well-meaning friends and relatives can 
inadvertently give your address away by entering 
it in online contests or “joke of the day” Web sites 
—most of which are designed specifically to 
harvest e-mail addresses for spam lists—or by 
including it on a Cc list that makes its way to an 
unscrupulous person. 


Protect your identity 


Don’t overlook the need to guard your 
identity in public forums and on Web 
sites. If you include your e-mail 
address in messages you post to 
Usenet forums or Webbased bulletin 
boards, you can be certain that 
spammers will find it using address- 
harvesting programs (called 
spambots). Use a secondary address, 
or practice what Usenet veterans call 
“address munging.” Instead of 
entering your actual address, add 
some obviously invalid characters and 
append the word invalid to the end of 
the address. For instance, 
katie@example.com could become 
Katie. NOSPAM@REMOVE.THIS.exampl 
e.com.INVALID. The munged address 
will trip up spambots, but a human 
being should have no trouble figuring 
out the real address. Also, never 
publish your personal e-mail address 
on a Web site. Businesses can add a 
secure form to allow customers and 
clients to contact them via the Web; 
many Web hosting companies include 
CGI scripts that can be used for this 
purpose. 


Rule #2: Use alternate addresses for 
transactions with untrusted parties. Set up 
an e-mail account with a free service such as 
Hotmail and use it for Web sites and online 
services that require you to provide a valid e-mail 
address. If the address becomes flooded with 
spam, stop using it and open a new account. 


Rule #3: Use server-based spam-blocking 
solutions when possible. If you run your own 
mail server as part of a business, investigate 
anti-spam add-ins. If you get your mail through 
an Internet service provider, find out whether 
they offer any spam-blocking options; some ISPs 
will provide this service but only if you ask. 


Use IMAP, if possible 


Most Internet service providers store 
and forward mail using the Simple 
Mail Transport Protocol (SMTP) on the 
server, with clients using Post Office 
Protocol 3 (POP3) to retrieve 
messages. But a different industry 
standard, Internet Message Access 
Protocol (IMAP), gives users far more 
control over their mail. With an IMAP 
server, you can define rules that allow 
the server to process messages before 
they ever reach your client software. 
Outlook 2000 and Outlook 2002 are 
both fully capable of working with 
IMAP servers. If this option is available 
to you, take advantage of it, and use 
server-side rules to block spam. 


Rule #4: Learn when and how to opt out of 
unwanted e-mail. The best way to stop junk 
mail is before it ever reaches your inbox. 
Reputable businesses and online marketers 
provide a mechanism for you to remove your 
names from their mailing lists. Getting your name 
off those lists makes it easier to set up filtering 
rules. 


Rule #5: Choose your e-mail client software 
carefully. All e-mail programs are not created 
equal. Outlook Express, for instance, offers an 


extremely limited set of e-mail filtering features. 
If you plan to use filters extensively, you'll get 
better results from Outlook. If you use Outlook 
97 or Outlook 2000, consider an upgrade to 
Outlook 2002, which offers more sophisticated 
filtering capabilities than earlier versions. 


Rule #6: Filter! The secret of successful spam- 
blocking is to aggressively filter out unwanted 
messages. Virtually all Microsoft Windows-based 
e-mail programs allow you to create rules that 
automatically sort messages into folders as they 
arrive in your inbox, based on their content or on 
information in the address block. More 
sophisticated filtering tools allow you to construct 
rules that examine the full message headers and 
can permanently delete messages instead of 
simply moving them to the trash. In the following 
section, we'll discuss the built-in filtering options 
in Outlook Express and Outlook. Later in this 
chapter, we'll list some third-party filtering 
products and services that work with any e-mail 
client software. 


Master your own domain 


If e-mail is a critical part of your 
business life, don’t settle for a 
standard SMTP/POP3 account at your 
local ISP. Instead, consider setting up 
your own domain at a Web hosting 
firm that includes e-mail services as 
part of its package. For a relatively 
low cost, you can purchase a domain 
name that identifies you and your 
business, with the option to set up 5, 
10, 25, or more individual accounts at 
that domain. You can create separate 
e-mail addresses within your domain 
that you can use to sort personal and 


business mail, even creating the 
illusion that a one-person company is 
bigger than it seems. Many of these 
accounts also include a “catch-all” 
feature that automatically forwards 
any message addressed to your 
domain, even if the address isn’t one 
you previously set up. Use this option 
to create unique addresses for each of 
your favorite online merchants (for 
instance, ed-amazon@example.com), 
making it easy to filter incoming mail 
from each merchant based strictly on 
the address you provide. If one of 
your addresses lands on a spam list, 
you can filter it at your Web hosting 
company’s server so that it never 
reaches your inbox. 


Using Filters 


If you can’t stop spammers from bombarding you 
with unwanted e-mail, message filters are the 
best method to prevent them from interfering 
with your productivity. Although the procedures 
for creating rules vary from program to program, 
each rule typically consists of one or more 
conditions and a matching action. For instance, 
you might create a rule that examines each 
incoming message to see whether the sender has 
an address in your company’s domain (the 
condition); if so, you want to move the message 
to your Company Mail folder (the action). Most 
people use filters ineffectively by trying to set up 
roadblocks for spam—by identifying suspicious 
words and phrases, for instance, or by blocking 
one sender at a time. (Outlook Express, in fact, 
allows you to quickly add the sender of any 
message to a Blocked Senders list). For most 
spam, which uses forged addresses and is sent 
through hijacked servers, that strategy is doomed 
to failure. In this section, we'll explain a filtering 
strategy that is much more effective at removing 
the clutter from your inbox. 


A quick search of the Internet will turn 
up a number of well-meaning would- 
be spambusters who've assembled 
lists of e-mail addresses that you can 
download and import into your 
Blocked Senders list (Outlook Express) 
or Junk Mail filter (Outlook 2000). 
Each address is reportedly confirmed 
to have been used in the past by a 
spammer. One popular list we found 
contains more than 70,000 individual 
e-mail addresses. While this strategy 


sounds tempting, it has two serious 
flaws. First, the overwhelming 
majority of addresses on these lists 
are throwaway accounts from free e- 
mail providers, created by a spammer 
for the specific purpose of sending one 
piece of junk mail and then never 
used again—so the list isn’t likely to 
turn up many matches and thus won’t 
do much to cut down on spam. 
Second, and even worse, forcing your 
e-mail software to chug through a list 
of 70,000+ bogus names every time 
you receive a new message could slow 
down your computer's performance 
substantially. 


A smart filtering strategy starts with one golden 
rule: Use filters to identify the messages you 
want to read first! Leave those messages in your 
inbox, or move them to another folder reserved 
for messages that have been certified as 
legitimate. After you’ve sorted out the messages 
from friends, family, coworkers, and mailing lists 
to which you subscribe, you'll be left with 
confirmed junk mail and suspected spam, which 
can be diverted to other folders or deleted. This 
strategy is the best way to avoid false positives, 
in which a message from a trusted contact is 
mistakenly categorized as spam. 


Keep rules in order 


Regardless of which e-mail client you 
use, the order in which you process 
rules is crucial. If you create a rule 
that categorizes anything with the 
phrases “$$$” or “XXX” as spam, 
make certain that rule goes into effect 
after you’ve sorted out messages from 


friends, families, and coworkers. If 
you put the $$$/XXX rule at the top of 
your list, you might inadvertently 
throw out a message from your 
mother asking what she should do 
with this chain letter someone just 
sent her. (And if she sends you the 
chain letter, you'll definitely want to 
educate her on why she shouldn’t do it 
again!) 


The first step in setting up an effective filtering 
program is to create a set of folders to hold each 
category of messages. Figure 11-3 shows an 
Outlook Express window with a basic set of 
folders defined. Although you can design a much 
more intricate filing system, this group of folders 
represents an excellent starting point. (And yes, 
the messages in the Probable Spam folder are 
real!) 


“-Figure 11-3. As the first step in your 
spam-filtering strategy, create a basic set of 
folders for sorting incoming messages. 


Next set up a basic set of message rules to 
successively filter out messages in each category 
and move them to the appropriate folder. If 
you're willing to put in the effort, you can build 
up a list of dozens or even hundreds of rules. 
However, a half-dozen message rules (the 
conditions and actions for one are shown in 
Figure 11-4) are sufficient to filter out most spam 
without disturbing the messages you want to 
read. Table 11-1 describes how each rule works. 
In the section “Creating Custom Filters,” we'll 
show you the steps you take to construct these 
rules. 


wad 


Figure 11-4. Make certain your message 
rules are processed in the correct order; this 
basic set of rules handles legitimate 
messages first, before dealing with 
suspicious e-mail. 


Table 11-1. Basic Message Rules 


Message 
Rule 


Trusted 
Contacts 


Mailing 
Lists 


What It Does 


For the first filter, create a list of 
trusted addresses (your 
mother’s address at msn.com 
might be one) and domains (all 
messages sent from addresses 
at your company’s domain, for 
instance). Choose “Stop 
processing additional rules” as 
the only action. This rule leaves 
all matching messages in the 
inbox and should remain at the 
top of the rules list. 


Use individual e-mail addresses, 
domain names, or a fragment of 
unique text from the subject line 
or message body to identify 
each incoming message from 
mailing lists to which you 
subscribe. Move these messages 
to one or more separate folders 
and stop processing additional 
rules. 


Message 
Rule 


Known 
Spammers 


Probable 
Spam 


What It Does 


This category includes all bulk 
mail from companies that 
identify themselves properly but 
refuse to remove your name 
from their mailing lists. In this 
rule, create conditions based on 
domain names, specific e-mail 
addresses, or message headers; 
for the rule actions, mark each 
matching message as read and 
then delete it. Be sure to choose 
“Stop processing additional 
rules” as the final action. 


In the example shown in Figure 
11-4, we created two rules for 
this category. The first rule 
identifies all messages for which 
your specific address is not in 
the To or Cc fields. The second 
rule finds messages that contain 
words or phrases commonly 
found in spam. (If you use 
Outlook, the built-in Junk E-mail 
and Adult Content rules 
described in the section “Using 
Outlook’s Junk Mail and Adult 
Content Filters” work well.) For 
the rule’s action, mark 
messages as read and move 
them to the Probable Spam 
folder for further examination; 
most will eventually be deleted. 


Bee sade What It Does 

Rule 

All Other If you’ve set up the preceding 

Messages rules correctly, this group should 
include mostly spam that’s 
addressed directly to you, plus a 
few messages from people who 
are not on your list of trusted 
contacts. Choose “For all 
messages” as the condition, and 
for the action move matching 
messages to an Unfiled folder 
for further examination. 


Manage mailing lists 


Setting up filters for mailing lists can 
be difficult. The format of the subject 
line might not be consistent, and the 
sender’s address can change 
periodically as well. Your best 
strategy? Look at the boilerplate text 
at the beginning and end of a typical 
message. Thoughtful mailing list 
managers often include identifying 
phrases or keywords (sometimes 
formatted in a distinctive way) that 
are designed to help you positively 
identify and filter messages from that 
list. Even without that tag, you might 
be able to pick out a unique phrase 
from the copyright line and use it to 
define the condition for a message 
rule. 


Of course, you can customize these rules 
extensively. If you subscribe to a large number of 


high-traffic mailing lists, for instance, you might 
prefer to create a subfolder and a matching rule 
for each list. Likewise, you might create a series 
of rules designed to filter out spam and adult 
content—automatically, permanently deleting any 
message that contains a list of particularly vulgar 
words or phrases, for instance. Just make certain 
that each new rule goes in the same location 
within your list of rules as other rules in its 
category. If you create a new rule that sorts 
messages from the Lockergnome mailing list into 
their own folder, you need to move the rule into 
the group of messages that apply to other 
mailing list messages. After creating the rule and 
giving it a meaningful name, use the Move Up or 
Move Down button to put it in its proper place. 


Be extremely careful with two types of 
rules: those that permanently delete 
messages and those that respond 
automatically to incoming messages. 
Use the “permanently delete” option 
(available in Outlook but not in 
Outlook Express) only for message 
rules whose effect is absolutely, 
positively certain. A loosely 
constructed rule that permanently 
deletes messages could end up 
erasing important mail without your 
knowledge. Rules that automatically 
respond to messages that meet 
certain conditions are even more 
dangerous because of the risk that the 
rule will create an “e-mail loop” in 
which your client software and an e- 
mail server automatically reply to each 
other’s messages. If your auto- 
responder replies to a mailing list, you 
could end up being accused of 


spamming the list yourself! Microsoft 
Outlook protects against the possibility 
of e-mail loops by firing off an auto- 
reply or auto-forwarded message in 
response to a rule only once per day 
or session, regardless of whether the 
rule is stored on the client or on the 
server; Outlook Express does not offer 
this protective feature and is thus 
more vulnerable to e-mail loops. 


Creating Custom Filters 


The procedures for creating message rules vary 
depending on the software you're using. In this 
section, we focus on techniques for Outlook 
Express and Outlook 2002. We also take a brief 
look at how to create and maintain a list of mail 
filters in other e-mail clients, including the Web- 
based offerings from Hotmail and MSN. 


Message Rules in Outlook Express 


Creating a rule in Outlook Express involves filling 
in four options in a dialog box. The process is 
relatively straightforward, although it contains a 
few gotchas. 


In this section, we assume that you’re 
using Outlook Express 5.50 (a 
component of all versions of Microsoft 
Internet Explorer 5.01 Service Pack 1 
and later) or Outlook Express 6 (the 
default in all versions of Windows XP 
and included with Internet Explorer 6). 
If you’re using an earlier version of 
Outlook Express with Windows 2000, 
we strongly recommend that you 
upgrade immediately to take 


advantage of security improvements 
in the latest version. 


To start creating a message rule, open the main 
Outlook Express window and choose Tools, 
Message Rules, Mail. If this is the first time 
you’ve created a rule, the New Mail Rule dialog 
box opens directly. If you have previously created 
any rules, the Message Rules dialog box opens 
and displays a list of all currently available rules. 
Click the New button to begin the four-part 
process. Figure 11-5 shows the New Mail Rule 
dialog box after all four steps have been 
completed. 


“-Figure 11-5. As you select options in steps 
1 and 2, the Rule Description box (step 3) is 
filled in automatically. Click the underlined 
options to specify details for each message 
rule, 


1. In the first box, Select The 
Conditions For Your Rule, click to 
select one or more options from the 
available list. Be aware of these 
general guidelines: 


e You can filter based 
on information in the 
From, To, or Cc line, 
or based on text in 
the subject line or 
message body. You 
can also create rules 
that check the 
account from which 
the message was 
received, the size of 
the message, whether 
it contains an 


attachment, and 
other criteria. 


Although it’s not 
immediately 
apparent, you can 
add “not” to any 
condition using an 
option in step 3. For 
instance, if you want 
to create a rule that 
selects messages in 
which your name is 
not in the To or Cc 
fields, select Where 
The To Or CC Line 
Contains People. 


When you select two 
or more options, 
Outlook Express 
automatically 
combines them using 
the “and” operator. 
You can change this 
operator to “or” in 
step 3. 


The last option in the 
list, For All Messages, 
is useful as the basis 
for the final rule in a 
list of rules, which 
might move all 
messages that 
weren't processed by 
previous rules to a 
specific folder. You 
could also use this 


condition in a rule 
that forwards a copy 
of all incoming 
messages to a 
separate e-mail 
account while you're 
away from the office 
and unable to connect 
with your regular mail 
server. 


2. In the next box, Select The Actions 
For Your Rule, click to select one or 
more options from the available list. 
Note the following suggestions: 


e Although you can 
select any 
combination of 
actions, be sure that 
each combination 
makes sense. Moving 
a message to a folder 
and then deleting it is 
illogical, for instance. 


e When you select two 
or more actions, 
Outlook Express 
performs all those 
actions on messages 
that match the rule’s 
conditions. You 
cannot change the 
order of actions. 


e Use the Flag It or 
Highlight It With 
Color actions to call 


attention to messages 
that remain in your 
Inbox. You might 
want all messages 
from your boss to 
appear in your Inbox 
in red, for instance. 


Don’t select the Mark 
The Message As 
Watched Or Ignored 
option for a mail rule; 
this option is design 
for working with 
newsgroups in 
Outlook Express. 


For any message that 
you plan to delete 
because you’re 
certain it’s unwanted, 
use the Mark It As 
Read and Delete It 
options. 


If you 
receive a 
large 
amount of 
spam and 
you use 
rules to 
mark it as 
read and 
delete it, 
you should 
disable the 
feature 
that 
automatica 


lly notifies 
you when 
new e-mail 
arrives. If 
you leave 
the 
notification 
option on, 
you're 
likely to be 
confused 
by the new 
message 
indicator, 
which is 
triggered 
by the 
arrival of 
any 
message 
in the 
Inbox and 
cannot be 
turned off 
by a 


message 
rule. 


e Select the Stop 
Processing More Rules 
option if you want the 
action in the current 
rule to be the only 
one that applies to 
messages meeting 
that condition. 


3. As you select each item in steps 1 
and 2, Outlook Express fills in the 


Rule Description box. If a condition 
or action requires you to specify a 
value, that value is underlined and 
displayed in blue. Click the 
underlined text to fill in each value, 
as described here: 


e For People, you can 
enter any valid e-mail 
address or select 
from the Address 
Book. Use the Add 
button (shown here) 
to enter each name. 
Enter a domain name 
without including a 
user name or the at 
sign (@) if you want 
the condition to apply 
to all messages from 
that domain. 


“For the Specific 
Words condition, you 
can enter one or 
more words or 
phrases. 


e To customize a 
condition, click the 
Options button. As 
mentioned earlier 
(and shown here), 
the Rule Condition 
Options dialog box 
lets you add “not” to 
a condition. If the 
condition contains 
more than one item, 


use the second option 
to toggle between 
“and” and “or”. 


“If you select the 
option to move or 
copy a message to a 
specified folder, you 
can select that folder 
(or create a new one) 
from a dialog box. 


e Before you can use 
the Reply With 
Message option ina 
rule, you must first 
create the message 
you want to use as 
your response. After 
creating the message, 
choose File, Save As 
in the new message 
window and save the 
message using the 
.eml extension. Select 
the saved message as 
the text of your 
automatic reply. 


4. In the Name Of The Rule box, 
replace the generic test with a 
descriptive name for the newly 
created rule and click OK to save 
your changes. 


After creating a new rule, you return to the 
Message Rules dialog box. Use the Move Up or 
Move Down button to place your new rule in the 
correct position. From this dialog box, you can 


edit any rule directly; to rename a rule or change 
the list of conditions or actions for a rule, click 
the Modify button. 


Message Rules in Outlook 


Although the basic principles behind message 
rules are the same in Outlook as in Outlook 
Express, the options available for creating a rule 
are considerably more extensive and, for the 
most part, more flexible. In Outlook, for example, 
you can create rules that act on messages you 
send as well as those you receive. You also have 
a much broader range of conditions and actions 
from which to choose. 


Choose the right Outlook version 


Which version of Outlook should you 
use? If you plan to use message rules, 
we highly recommend Outlook 2002 
over any other version. Outlook 97 
isn’t a viable option—the Rules Wizard 
was introduced as an add-on in 
Outlook 98. As we point out in 
Chapter 10, “Keeping Your E-Mail 
Private,” both Outlook 97 and Outlook 
98 have too many security problems 
for us to recommend them. Outlook 
2000 is considerably more robust, but 
Outlook 2002 (part of Office XP) adds 
several highly desirable tweaks to the 
Rules Wizard—most notable is the 
capability to specify multiple values as 
part of a single condition. With 
Outlook 2000, you need to create a 
separate rule for each value you want 
to test; which can make the list of 
rules cumbersome and, if it gets large 


enough, virtually impossible to 
manage. 


Creating a new rule requires that you use a five- 
step wizard. To get started, open the Outlook 
Inbox and choose Tools, Rules Wizard. The Rules 
Wizard dialog box (Figure 11-6) displays a list of 
all currently available rules. 


“-Figure 11-6. Use the Rules Wizard to 
create and manage e-mail filters in Microsoft 
Outlook. 


Click the New button to begin creating a rule, and 
then follow these steps: 


1. Choose from a list of preconfigured 
templates or use a blank rule. 


e Templates, such as 
those shown in Figure 
11-7, include 
preselected conditions 
and actions. If the 
template you choose 
meets all your needs, 
click the underlined 
links in the Rule 
Description box to fill 
in any required values 
and then click Finish. 


“-Figure 11-7. 
These templates 
cover the most 
common types of 
message rules. 
You can use a 
template to get 
started and then 


continue using 
the wizard to add 
more conditions 
or actions. 


e If no template meets 
your needs, choose 
Start From A Blank 
Rule, choose Check 
Messages When They 
Arrive, and click Next. 


2. Select the conditions for your 
message rule. If any of the selected 
conditions require that you specify 
values, click the underlined 
keyword in the Rule Description box 
and fill in the appropriate blanks. 
(When you add multiple values for 
a condition, the Rules Wizard 
separates them with “or,” as shown 
here.) 


Click Next to continue. Use the 
following guidelines to get the most 
out of conditions: 


e You can select 
multiple conditions, 
just as you can for 
rules in Outlook 
Express. In Outlook, 
however, multiple 
conditions are always 
joined with the “and” 
operator—that is, the 
rule will be applied if, 
for example, 
condition A is true 
and condition B is 


true. You cannot 
change this operator 
to “or.” 


Create an 
“or” rule 


If you 
need to 
test for 
two 
different 
conditions, 
either of 
which can 
be true, 
you need 
to do so in 
separate 
rules. 
(With 
Outlook 
Express, 
you can do 
this ina 
single 
rule.) 
Outlook 
doesn’t let 
you create 
“exclusive 
or” rules, 
where the 
rule is 
triggered if 
A is true or 
B is true 
but A and 
B are not 


both true. 
However, 
you can 
easily 
achieve 
the same 
result 
using two 
consecutiv 
e rules. In 
the first 
rule, use 
the 
condition 
“A is true 
except 
when B is 
true.” In 
the second 
rule, do 
the 
reverse: 
“B is true 


except 
when A is 
true.” 


e In addition to testing 
for words in the 
subject or body of the 
message and in the 
sender’s or recipient’s 
address, you can also 
select With Specific 
Words In The 
Message Header. This 
option allows you to 
create rules based on 


the name of a specific 
mail server, for 
instance, or to look 
for technical 
information found 
only in a message 
header, such as the 
name of the program 
that created the 
message or the name 
of a server through 
which it passed 


Select Sender Is In 
Specified Address 
Book if you want the 
rule to be triggered 
for any address that 
appears in an Outlook 
address book you’ve 
set up. (If you use 
Internet standard 
SMTP mail servers, 
the default address 
book is the Contacts 
folder; if you connect 
to a Microsoft 
Exchange server, you 
can choose from 
additional address 
books on the server). 


Although you can do 
so in Outlook 
Express, you cannot 
add “not” to a 
condition in Outlook. 
Instead, create an 


exception using step 
4. 


3. Select an action for the rule. Here, 
too, you can select multiple actions, 
filling in any required values in the 
Rule Description box. Click Next to 
continue. Note the following 
Suggestions: 


e The Delete It option 
moves the message 
to the Deleted Items 
folder. The 
Permanently Delete It 
option eliminates all 
traces of the 
message. Be 
extremely careful 
with the latter option. 


Filter out 
viruses 


A simple 
message 
rule allows 
you to 
permanent 
ly delete 
messages 
that are 
infected 
with a 
virus. This 
type of 
rule can be 
a welcome 
addition to 


your 
antivirus 
arsenal. 
The trick is 
to use two 
conditions, 
one that 
tests for a 
phrase 
always 
found in 
the virus 
(such as “I 
send you 
this file in 
order to 
have your 
advice,” 
which is 
found in 
messages 
infected 
with the 
Sircam 
virus) 
along with 
the Which 
Has An 
Attachmen 
t 
condition. 
For any 
message 
that meets 
both 
conditions, 
use the 
Permanent 


ly Delete It 
action. 


e If you delete or move 
a message because 
you are confident that 
it is spam, be sure to 
select the Mark It As 
Read action as well. 
This prevents you 
from being distracted 
by new messages 
that almost certainly 
aren't worth reading. 


e Unless you’re a skilled 
Microsoft Exchange 
developer, ignore the 
Perform A Custom 
Action option; this 
action requires that 
you create a 
dynamic-link library 
(DLL) for a custom- 
rule for use with an 
Exchange server. 
Read more about this 
option in Microsoft 
Knowledge Base 
article Q151690, 
“What Is the 
` Custom’ Rule Action 
For?” 


4. Add any exceptions that the rule 
should take into account. The list of 
exceptions is essentially the same 
as the conditions list, allowing you 
to create more complex rules. For 


instance, if you’ve created a rule 
that tests for words and phrases 
commonly found in spam, you 
might add an exception for any 
message received from a person 
whose e-mail address is in your 
address book. Click Next to 
continue. 


5. Give the rule a descriptive name 
and click Finish. 


6. In the initial Rules Wizard dialog 
box, use the Move Up or Move 
Down button to place the new rule 
in the proper position. 


Troubleshoot message rules 


If a message rule isn’t behaving as 
you expect it would, the most likely 
reason is that another rule is 
performing an action on the message 


first. Two Knowledge Base articles, 
Q291633, “How to Troubleshoot the 
Outlook Rules Wizard,” and Q197496, 
“Outlook Rules Wizard 
Troubleshooting,” offer helpful 
Suggestions. 


To modify a rule after you’ve created and saved 
it, open the Rules Wizard dialog box and select 
the entry you want to modify from the list of 
available rules. If you simply want to add, 
change, or remove a value from the conditions or 
actions for the rule, you can do so directly in the 
Rule Description box at the bottom of the dialog 
box. Click the link for the value, add the new 
item, and save your changes. This is the correct 


technique to use if you have a Trusted Contacts 
or Known Spammers rule, for instance, and you 
want to add a new address or domain to either 
list. To make more substantial changes to a rule, 
such as adding or removing a condition or action, 
click the Modify button and run through the 
wizard for that rule. 


Filters in Hotmail and MSN 


Microsoft’s Web-based e-mail services, Hotmail 
and MSN, include several built-in spam-filtering 
options. These options are the only way to filter 
mail received through these services. If you 
configure Outlook Express or Outlook to receive 
and send mail through an MSN or Hotmail 
account, any message rules you create for use 
with POP3 accounts will be ignored when you 
connect to MSN or Hotmail. 


If your MSN e-mail account was set up 
before October, 2000, and you have 
never converted it to a Web-based 
account, you might be able to send 
and receive MSN mail using any 
Internet-standard POP3 client, 


including Outlook Express or Outlook. 
If you use this relatively rare 
configuration, you should ignore the 
steps described here and use message 
rules in your e-mail client software to 
filter out spam. 


To set up spam-filtering options in these services, 
go to the main Hotmail or MSN email page after 
logging on, choose Options, and configure any of 
the following options, all found under the heading 
Mail Handling: 


Junk Mail Filter. Choose Off, Low, 
High, or Exclusive. The Exclusive 
option sends all mail to the built-in 
Junk Mail folder unless the sender 
is in your address book. 


Junk Mail Deletion. Choose 
whether you want all junk mail 
deleted immediately or held for 
seven days. Choose the former 
option only if you're certain that 
your rules are set properly. 


Safe List. Specify the addresses 
that you do not want filtered as 
junk mail. When you open any 
message in the Junk Mail folder, 
you can click the This Is Not Junk 
Mail option to add its address to the 
Safe List automatically. 


Mailing Lists. Enter the To address 
for any mailing list to which you 
subscribe. This disables all junk- 
mail filtering for these list 
messages. 


Block Sender. Use this list to block 
specific addresses or entire 
domains. Any messages from these 
senders are removed on arrival and 
never appear in your Inbox, Junk 
Mail folder, or Trash Can. Use the 
Block button on any message to 
automatically add the sender to this 
list. You can block up to 250 
individual addresses and an 
apparently unlimited number of 
domains. 


e Custom Filters. You can create 
and save up to 11 filters in this list, 
which Hotmail uses to automatically 
move messages to other folders 
based on the subject or address 
block. These filters are extremely 
rudimentary and not particularly 
useful for spam-blocking; they are 
most useful if you want to 
automatically divert mailing list 
messages to their own folder. 


Any mail-handling rules you set using the Web- 
based MSN or Hotmail interface will apply to all 
messages you receive through that account. This 
is true even if you have configured Outlook 
Express or Outlook to handle your MSN or 
Hotmail account. 


If you use the MSN Explorer client software to 
read your MSN or Hotmail messages, your spam- 
filtering options are far more limited. This 
software, which is intended for users who are 
uncomfortable with too many technical options, 
includes an Inbox Protector feature that 
automatically shunts most unsolicited mail into a 
Bulk Mail folder. You can block senders and add 
addresses to a Safe list. To set these options, 
open MSN Explorer, click the E-Mail button, and 
choose More Choices, Settings. 


Using Outlook’s Junk Mail and Adult 
Content Filters 


Outlook 2000 and Outlook 2002 include a pair of 
preconfigured message rules designed to 
automatically filter out junk mail and messages 
that contain adult content (that is, come-ons for 
pornographic Web sites). Used with their default 
settings, these rules are only marginally effective 
and can result in a fair number of false positives 
(legitimate messages incorrectly detected as junk 
mail) and outright misses, in which offending 
messages reach your Inbox. However, with some 
judicious tweaking you can integrate these filters 
into your spam-fighting program and increase 
their effectiveness. 


In their default configuration, the Outlook Junk 
Mail and Adult Content filters consist of three 
mechanisms: 


e A list of words and phrases 
commonly found in spam 
messages. The settings file is 
documented in a readme file called 
Filters.txt; in Outlook 2002, this file 
is stored in the 
%ProgramFiles%\Microsoft 
Office\Office10\Loca/eID folder, 
where /ocaleID is the locale 
identifier for your version of Office. 
(For U.S. English, this value is 
1033.) Despite what you might 
read in some misinformed articles 
on the Web, these settings are not 
editable; the contents of Filters.txt 
consist of documentation only. 


e A user-configurable list of Junk 
Senders and Adult Content 
Senders. These lists are maintained 
as text files in your user profile. You 
can edit this list manually (one 
address per line), although it’s 
much easier to add senders to this 
list individually—select a message 
in the message list, right-click, and 
choose Junk E-Mail, Add To Junk 
Senders List (or Add To Adult 
Content Senders List). Note that 
Outlook does not create either list 
until you add at least one name to 
the list. 


Spread your junk-mail 
net wider 


When you add an 
address to the Junk 
Senders list or the Adult 
Content Senders list, 
Outlook adds the entire 
address. If you edit the 
list of senders manually, 
however, using either 
the Rules Wizard ora 
text editor such as 
Notepad, you can add an 
entire domain to this 
list. Thus, if you want all 
e-mail you receive from 
a given domain to be 
treated as junk mail, 
add that domain name 
to the list. 


e A user-configurable Exception list, 
which is also saved as a text file in 
the same location as the Junk 
Senders and Adult Content Senders 
lists. Any addresses found on this 
list are automatically exempted 
from the checks performed by the 
built-in junk mail rules. 


The official method for turning on these filters is 
as follows: 


1. From the Outlook Inbox, choose 
Tools, Organize. 


2. Click the Junk E-Mail link in the 
Ways To Organize pane. This 
displays the options shown in 
Figure 11-8. 


“-Figure 11-8. The default 
action for these filters merely 
changes the color of each 
message that is detected as 
junk mail or adult content. To 
move messages to a different 
folder, you must change these 
options. 


3. By default, these rules are set to 
change the color of each matching 
message: junk e-mail to gray, adult 
content messages to maroon. 
Select Move instead of Color for 
each rule to move the messages to 
a different folder rather than simply 
changing their color. 


4. Click the Turn On button to enable 
each rule. Doing so creates an 


Exception List rule at the top of the 
Rules Wizard. If you’ve chosen 
Move instead of Color as the action, 
Outlook creates a new rule in the 
Rules Wizard as well. (If you choose 
the Color option, this task is 
handled by the Automatic 
Formatting feature for the default 
view.) 


So far, so good. Unfortunately, this seemingly 
simple set of steps has a couple of drawbacks: 


e The newly created rules are added 
to the top of the Rules Wizard. As a 
result, they’re processed before any 
custom rules you've previously 
created. This practically guarantees 
that some legitimate messages will 
be handled improperly because 
they happen to contain a suspect 
phrase like “special promotion” or 
“over 21” or “check or money 
order.” 


e If you choose the Move action, your 
messages are moved to a different 
folder, but they are not marked as 
unread. 


e The filters’ criteria haven’t been 
updated in several years. Up-to- 
date spammers know about these 
filters and many avoid using the 
phrases contained in them. As a 
result, these filters trap only a 
fraction of the junk mail you're 
likely to receive. 


e The rules created in the Organize 
pane cannot be customized. 


If you still want to use these built-in filters, 
ignore the Organize menu and create a custom 
rule instead. Follow these steps: 


1. Use the Organize pane to turn on 
Junk E-Mail filtering. Choose the 
Move option and select a folder to 
which junk messages should be 
sent. This step creates the 
Exception List rule, which cannot be 
created manually. 


2. From the Outlook Inbox, choose 
Tools, Rules Wizard. 


3. Select the Junk E-mail rule and 
click Delete. 


4. In the Rules Wizard dialog box, 
click New. 


5. Select Start From Blank Rule, and 
then select Check Messages When 
They Arrive. Click Next, and follow 
the wizard’s prompts to create a 
rule using the following conditions 
and actions: 


e Suspected To Be Junk 
E-Mail Or From Junk 
Senders 


e Move It To The Junk 
Mail Folder (or any 
folder you specify) 


e Mark It As Read 


e Stop Processing More 
Rules 


e Except If Sender Is In 
Contacts Address 
Book 


6. Save this rule using a descriptive 
name, such as Junk Senders. When 
you finish, the result should look 
like the rule shown in Figure 11-9. 


“-Figure 11-9. Use this 
improved version of the built-in 
junk mail filters. 


7. Repeat steps 2-4 but use the 
condition Containing Adult Content 
Or Suspected To Be From Adult 
Content Senders. 


8. Return to the Rules Wizard and 
move the newly created rules to the 
bottom of your list of message 
rules. Make sure the Exception List 
rule is above the Junk Senders and 
Adult Content Senders rules. 


Handle exceptions 


If you discover that the Junk Senders 
rule is regularly catching mail it 
shouldn't, you have two options. You 
can add the sender to your Outlook 
Contacts folder so that the sender’s 
name isn’t processed by your 
customized rule. If you’d prefer not to 
create a new address book record, add 
the name to the Exception list. Open 
the Rules Wizard and select the 


Exception List rule. In the description 
pane, click the Exception List link and 
type or paste the address you want to 
add. If this process seems too 
cumbersome, create a shortcut to 
%UserProfile%\Application 
Data\Microsoft\Outlook\Exception 
List.txt and add the shortcut to your 
Start menu or desktop. Use this 
shortcut to open the Exception List 
and edit it using Notepad. 


By using this strategy, you ensure that the built- 
in junk filters are processed after any custom 
rules you’ve created to handle messages from 
trusted contacts, mailing lists, and other senders. 
These rules should also come after any spam- 
handling message rules you've created. In fact, 
these rules should be near the bottom of your list 
of message rules, above only the catch-all rule 
that handles messages that can’t be handled by 
any existing rule 


Backing Up Message Rules 


Creating a custom set of message rules and 
tweaking them so that they work exactly as you 
intend involves a significant amount of time and 
effort. Every so often, be sure to back up your 
filtering rules and save them to a safe place (not 
just on your computer, where the backup can 
vanish in the event of a disk crash). 


In Outlook Express, message rules and the 
Blocked Senders list are stored in the registry, 
with a separate set of rules for each identity. To 
back up these settings manually, follow these 
steps: 


1. Open Registry Editor (Regedit.exe). 


2. Navigate to the following key, 
where GUID is the 32-character 
unique code for your identity: 


HKCU\Identities\ 
{ GUID} \Software\Microsoft\Outloo 
k Express\5.0\Rules 


3. Right-click the key name and 
choose Export from the shortcut 
menu. (In Windows 2000, choose 
Export Registry File from the 
Registry menu.) 


4. In the Export Registry File dialog 
box, enter a descriptive file name 
(My Message Rules, say) and a 
location for the saved settings. In 
the Export Range area at the 
bottom of the dialog box, keep the 
default setting, Selected Branch. 


5. Click Save. 


6. If you’ve added any names to the 
Blocked Senders list, repeat steps 
2-5 for the Block Senders key in 
the same branch of the registry. 


To restore the backed-up rules, double-click the 
saved file and import the settings into the 
registry. 


Make backing up easier 


If exporting settings from the registry 
seems unnecessarily complex, try any 
of several third-party backup utilities 
to simplify the task. Express Assist 6.0 
completely backs up all messages, 


addresses, and settings, including 
message rules. Outback does the 
same task for all versions of Microsoft 
Outlook. Download a trial copy of 
either program from 

http://www. ajsystems.com. 


Outlook offers an easy way to export and import 
all the message rules you create. Exporting the 
rules saves a copy of all rules in a file; if you 
need to restore the rules later, on the same 
computer or a different one, use the import 
option and specify the same file. To export all 
rules, follow these steps: 


1. From the Outlook Inbox, choose 
Tools, Rules Wizard. 


2. Click the Options button. 


3. In the Options dialog box, click the 
Export Rules button. 


4’-Enter a descriptive file name 
and a location, and then click Save. 


If you’ve customized the Junk Senders and Adult 
Content Senders lists, back them up as well. 
These text files are stored (along with other 
Outlook settings) in the 
%UserProfile%\Application 
Data\Microsoft\Outlook folder. 


Third-Party Spam-Busting 
Solutions 


If the message-filtering capabilities of your 
favorite e-mail software seem too cumbersome, 
consider using third-party software to do the dirty 
work. Literally dozens of spam-fighting utilities 
and services are available for Windows users to 
choose from. The following are among our 
favorites: 


SpamWeasel is a freeware utility from MailGate. 
It includes a huge database of known spammers 
and suspicious words and phrases as well as a 
powerful list of preconfigured rules. It operates 
with any Internet standard email client, 
intercepting messages before they reach your 
inbox, examining the messages, and quarantining 
suspected spam. Configuration is challenging, but 
the results are worth it. Get additional 
information at 


http://www. mailgate.com/products/spamweas/s 


w_feat.asp. 


SpamKiller is a $40 commercial utility that also 
works with any e-mail program. Because it’s 
driven by wizards, it’s relatively easy to 
configure, and you can build new filters based on 
spam you receive. The original developer, 
NovaSoft, published regular updates to the 
program’s filters. It remains to be seen whether 
new owner McAfee.com will maintain the product 
as well. Get more details at 

http://www. spamkiller.com. 


SpamEater from High Mountain Software comes 
in a free standard version and a $25 paid version. 
It’s integrated with online databases of known 
spammer blacklists, and the full paid version 


supports online updates to the application and 
filter rules. It’s also integrated with SpamCop, a 
service that allows you to automatically generate 
complaints about persistent spammers. For 
details, point your browser to 


http://www.hms.com/spameater.asp. 


SpambHole is a free online service that creates 
temporary e-mail addresses you can use when 
you must provide an address to use a Web site 
that is not known to be trustworthy. The address 
you create is automatically forwarded to your real 
e-mail address and automatically expires after a 
period of time that you specify. Get details at 
http://www.spamhole.com. 


Fighting Back Against Spam 


If you’re inundated with unwanted e-mail, your 
natural inclination is to fight back. Surely there 
must be someone to whom you can complain, 
right? 


Yes and no. 


Given the free-for-all nature of the Internet, it 
should come as no surprise that no uniform laws 
govern unsolicited commercial e-mail. Depending 
on where you live, you might be able to file a 
lawsuit against the sender and even have a 
reasonable chance of succeeding—if you can 
identify the sender, that is. For an excellent 
overview of current anti-spam statutes in the 
United State, Europe, and around the world, visit 
David E. Sorkin’s Spam Laws site at 
http://www.spamlaws.com. 


If you live in the United States, or if the spam 
appears to have originated in the United States, 
you can send it to the U.S. Federal Trade 
Commission. According to the FTC’s Web site, the 
agency “invite[s] consumers and Internet Service 
Providers to forward UCE to an e-mail box at 
uce@ftc.gov. ... [T]he UCE mailbox receives an 
average of 10,000 new pieces of UCE every day, 
seven days a week. The Commission has 
responded to fraudulent UCE with a vigorous law 
enforcement program.” You'll have the best 
chance of getting results if the spam in question 
is a come-on to a scam that has the potential to 
defraud investors or consumers. 


The online SpamCop service 
(http://spamcop.net) specializes in helping 
Internet users track down the source of spam 
and then file complaints. You can use the 


reporting system for free or pay a small fee to 
remove banner ads and streamline the complaint 
process. The organization, run by Julian Haight, 
also offers low-cost filtered e-mail accounts and 
comprehensive filtering options for corporate 
clients. 


Whatever you do, don’t try to fight back by 
spamming the spammers! The urge to flood an 
inconsiderate e-mail marketer with hundreds or 
thousands of reply messages can be 
overwhelming, but the consequences can be dire. 
You could be inadvertently accused of spamming 
yourself, and the IP address of your mail server 
could land in one of the Internet’s “black hole” 
lists, which block suspected spammers from 
sending mail to subscribing servers. 


Chapter 12 


Fighting Hacker Attacks 


Now that nearly every personal computer is 
connected to the Internet, either directly or 
indirectly, malicious hackers have plenty of 
tempting targets to attack. Prior to these 
ubiquitous interconnections, malware such as 
viruses spread from one computer to another 
primarily by users sharing infected floppy disks, 
and damage was confined to the computers on 
which the infected disk had been used and its 
programs run. Widespread adoption of Internet 
connections and, in particular, always-on 
broadband connections present new opportunities 
for denizens of the dark side. Infections can 
spread much more quickly, of course. And worse, 
new types of threats exist: 


e Unauthorized users can access 
private data on a computer via the 
computer's Internet connection. 


e Attackers can use an unprotected 
computer as a gateway toa 
corporate network by piggybacking 
onto the computer’s virtual private 
network (VPN) connection to the 
network. 


e A miscreant can use an unprotected 
computer as an unwitting 
accomplice in a distributed denial of 
service attack—an attack in which 
many computers are directed in 
concert to flood another computer 
with requests, effectively making it 
unusable. 


Some of these vulnerabilities are mitigated by 
using a secure version of Microsoft Windows 
(Windows XP or Windows 2000) and 
implementing password protection, NTFS 
permissions, antivirus software, and other 
techniques described in this book. But for 
effective protection from attacks by malicious 
intruders outside your local area network, you 
need a firewall. 


In this chapter, we explore some of the threats 
presented by an unprotected Internet connection. 
We then examine firewall protection, both 
software and hardware. Some firewalls, in 
addition to stopping unwanted Internet 
communications, use a log to keep track of 
rejected connections. As we explain, you can 
sometimes use this information to hunt down 
attackers. 


Security Checklist: Fighting 
External Attacks 


Here’s a list of steps to take to prevent 
attacks from the outside: 


e Keep your system up to 
date with security 
patches and updates 
from Microsoft. 


e Install a personal 
firewall on each 
computer connected 
directly to the Internet. 


e Consider installing a 
firewall appliance 
between your network 


and your Internet 
connection. 


Configure your firewall 
to block all ports except 
those you actually use. 


Be selective when you 
configure application- 
based rules; be certain 
that a program asking 
for Internet access 
legitimately needs it. 


If your firewall appliance 
can be accessed and 
managed from the 
Internet, change its 
default user name and 
password. 


Monitor firewall logs for 
signs of attacks, such as 
probes of commonly 
exploited ports. 


How Hack Attacks Work 


Attackers—whether their intent is to steal 
information or computing resources, maliciously 
destroy information, or simply enjoy a challenge 
—employ a variety of methods to attack 
computers on the Internet. 


Many exploit software bugs in server applications, 
client applications, or operating systems. Like it 
or not, any but the most trivial application has 
bugs. 


Most bug-related security holes are the result of 
buffer overrun vulnerabilities. A buffer overrun 
occurs when a hacker manages to send more 
data to a particular input field than a program 
has allotted space for. For example, a program 
might be set up to accept a URL that’s no more 
than 256 characters long. If a hacker figures out 
how to send a 400-character “URL,” the extra 
characters could go into an area of memory 
where the program interprets them as 
instructions to be executed. Hackers find these 
types of vulnerabilities by examining program 
code (the source code for many programs is 
widely available) or simply by trying to overflow 
any place a program accepts input. If an overflow 
Causes a program to crash, the hacker might then 
be able to craft instructions that do his bidding 
instead of merely crashing a program. The 
successful exploitation of this type of vulnerability 
could enable an attacker to run code on the local 
system, for example. 


Other software bugs might cause a program to 
allow entry to a hacker who provides invalid 
input. Programs that handle valid input with 
aplomb sometimes don’t fare as well with input 


outside the expected range. Hackers can exploit 
such bugs in a manner similar to buffer overrun 
vulnerabilities. 


Attackers don’t need to rely solely on bugs to 
gain entry to Internet-connected systems, 
however. Systems that are not securely 
configured are easy prey. Systems that act as file 
servers can expose shared folders; other types of 
servers can also provide access to a computer. 
(Many Trojan horse programs set up servers that 
attackers can contact and use to gain entry.) A 
common tool of attackers is a port scanner—an 
automated program that can cycle through 
thousands of IP address/port combinations in 
search of open ports. (An open port is one that is 
listening for connection requests. ) 


Hackers also take advantage of systems on which 
security safeguards are disabled. While trying to 
troubleshoot a connection problem, for example, 
you might remove all restrictions, such as NTFS 
permissions, firewall protection, and so on. If you 
forget to restore your secure settings after 
resolving the problem, you can be sure that an 
attacker will discover this lapse. 


Check for holes 


Use Microsoft Baseline Security 
Analyzer (MBSA) or another security 


auditing program to search for 
insecure settings. For details about 
MBSA, see Testing_and Verifying Your 
Secure Status. 


Security expert Robert Graham has cataloged a 
number of attacks using the vulnerabilities 
outlined in the preceding paragraphs. Although 
the information on his Web page titled “FAQ: 


Network Intrusion Detection Systems” is 
somewhat dated, it provides a useful introduction 
to the methods used by attackers. You can view 
the page at 
http://www.robertgraham.com/pubs/network- 


intrusion-detection.htm!. 


DoS Isn't an Operating System 


Another nasty trick is a denial of 
service (DoS) attack, in which the 
perpetrator attempts to crash a 
computer by overwhelming it with 
data. Doing so doesn’t give the 
attacker access to the computer’s 
information, but he effectively makes 
the computer unusable. The packets in 
a DoS attack are malformed in some 
way, which causes the computer to 
expend all its resources attempting to 
deal with the flood of erroneous data. 


The year 1999 saw a more potent 
variant with the launch of the first 
distributed denial of service (DDoS) 
attack. In a DDoS, an attacker directs 
many computers (usually numbering 
in the hundreds) to launch coordinated 
DoS attacks against a particular 
computer or network. DDoS attacks 
have been used to knock several high- 
profile companies, including Yahoo!, 
Amazon.com, CNN, and eBay, off the 
Internet for hours or days at a time. 
But these large companies weren't the 
only victims; many of the computers 
used to carry out the attacks belonged 
to unsuspecting individuals whose 
computers were also tied up to the 
point of paralysis. 


Dave Dittrich, a security expert at the 
University of Washington, has 
assembled an exhaustive collection of 
links to information about DDoS. If 
you want to know more about DDoS— 
how it works, prevention tools and 
techniques, news reports, and much 
more—visit his “Distributed Denial of 
Service (DDoS) Attacks/Tools” page at 
http://staff. washington. edu/dittrich/mi 
sc/ddos/. 


Blocking Attacks with a 
Firewall 


Many of the dire events outlined in the preceding 
section can be prevented by using a properly 
configured personal firewall. A firewall is a 
program or a device that provides a barrier 
between a computer and the Internet. (Firewalls 
can be used to isolate computers within a local 
area network as well, but the concern on most 
networks is threats from the Internet, and that’s 
our focus in this chapter.) As shown in Figure 12- 
1, a firewall prevents entry of packets that don’t 
meet the criteria you specify, while allowing 
transparent passage to authorized connections. 


“-Figure 12-1. A firewall blocks attacks and 
unsafe content while allowing legitimate 
communications and safe content to pass 
through. 


Packet Filtering 


Most firewalls work (at least in part) by packet 
filtering; that is, they block or allow 
transmissions depending on the content of each 
packet that reaches the firewall. 


Packet filter rules can be configured in a firewall 
to block or allow transmissions from or to certain 
IP addresses or ports. A packet filter examines 
several attributes of each packet and can either 
route it (that is, forward it to the intended 
destination computer) or block it, based on any of 
these attributes: 


e Source address. The IP address of 
the computer that generated the 
packet. 


Destination address. The IP 
address of the packet’s intended 
target computer. 


Network protocol. The type of 
traffic, such as Internet Protocol 
(IP). 


Transport protocol. The higher 
level protocol, such as Transmission 
Control Protocol (TCP) or User 
Datagram Protocol (UDP). 


e Source and destination ports. 
The number that communicating 
computers use to identify a 
communications channel. 


For more information about TCP/IP 
ports, see Chapter 17, “Securing Ports 
and Protocols.” 


Stateful-Inspection Packet Filtering 


Blocking based on addresses, ports, and 
protocols is very fast, but it’s an inadequate 
solution by itself. When a TCP connection is made 
to a destination port (usually on one of the well- 
known low-numbered ports with numbers less 
than 1024), an arbitrarily numbered source port 
(somewhere in the range greater than 1023 and 
less than 16384) is opened on the client 
computer. You certainly wouldn’t want to leave all 
ports in this range open to incoming connections, 
which would present a huge target for attackers. 
This is where stateful-inspection packet filtering 
comes in. Here’s how it works, using a Web 
browser as an example: 


1. You enter a URL in your browser’s 
address bar. 


2. The browser sends one or more 
packets of data, addressed to the 
Web server. The request itself 
contains HTTP instructions. The 
destination port is 80, the standard 
port for HTTP Web servers; the 
source port is between 1023 and 
16384. The outgoing request has 
only the SYN flag turned on. (For 
more information about the SYN 
flag, see the following sidebar. ) 


3. The firewall saves information 
about the connection in its state 
table, which it will use to validate 
returning inbound traffic. 


4. The Web server sends a reply (the 
contents of the Web page you 


requested) addressed to your 
computer’s IP address and source 
port. 


5. The firewall receives the incoming 
traffic and compares its source and 
destination addresses and ports 
with the information in its state 
table. If the information matches 
(and if the incoming packet has 
only the ACK and SYN flags turned 
on), the firewall permits the reply 
to pass through to the browser. If 
the data doesn’t match in all 
respects, the firewall discards the 
packet. 


6. Your browser displays the received 
information. 


TCP, SYN, ACK, and Other TLAs 


TCP is a “connection-oriented” 
protocol, which means that it goes 
through an elaborate process to 
establish and confirm reliable 
communications before it can transmit 
data. TCP uses flags in the TCP header 
to perform this process, as follows: 


1. One computer sends a 
packet with the SYN 
(short for synchronize) 
flag turned on. This 
says, in effect, “Hey, I’d 
like to opena 
connection.” 


2. The receiving computer 
responds with a packet 


that has both the SYN 
and ACK (acknowledge) 
flags turned on. In other 
words, “Okay, let’s chat.” 


3. The first computer then 
sends a packet with only 
the ACK flag turned on. 


This sequence—which is actually much 
more complex than this simplified 
explanation might suggest—is 
sometimes called the TCP three-way 
handshake. 


Oh, and TLA? That’s geek speak for 
three-letter abbreviation. 


Application Filtering 


More sophisticated personal firewalls can filter 
based on the content of traffic directed at the 
firewall, scanning for viruses, malicious code, 
ActiveX controls, Java applets, cookies, and so 
on. In addition, and perhaps more important, 
these firewalls can limit outbound connections to 
approved applications only. A rule for each 
application that attempts to connect to another 
computer (on your local area network or on the 
Internet) determines whether the connection is 
allowed or blocked. Some personal firewalls come 
with preconfigured rules for common 
applications. 


Most personal firewalls offer some sort of rule 
assistant that makes it easy for you to create 
new rules to accommodate other applications. For 
example, with ZoneAlarm Pro, a message similar 
to the one shown in Figure 12-2 appears when 
you use an application for which you haven’t 
granted automatic Internet access. Simply click 
Yes or No to allow or block the application. 


“-Figure 12-2. When an application 
attempts to connect to the Internet and you 
haven't defined a rule for it, ZoneAlarm Pro 
displays a message like this. 


Because a firewall controls a// TCP/IP 
communications through a particular network 
connection, it can block communications with 
other computers on your network if the same 
connection joins your computer to the LAN and 
the Internet. To give you unfettered access to 
your LAN while still enjoying protection from the 
Internet, many personal firewall programs use 
security zones. Although these zones are 


conceptually similar to the security zones used by 
Microsoft Internet Explorer, Microsoft Outlook 
Express, and other applications, they are not the 
same. Each firewall program implements zones in 
a slightly different way. For example, ZoneAlarm 
has three zones: a trusted zone (for computers 
you explicitly trust, such as those on your LAN), a 
blocked zone (for computers you explicitly 
distrust), and an Internet zone (for all other 
computers). ZoneAlarm makes it easy to 
configure your zones. For example, when 
ZoneAlarm Pro detects a network, it displays a 
message like the one shown in Figure 12-3, 
which allows you to add your LAN to the trusted 
zone. 


“-Figure 12-3. Upon detecting a new 
network—usually your LAN—ZoneAlarm Pro 
displays a message like this one, in which 
you can specify the security zone for the 
network. 


Internet Connection Firewall (ICF), the 
firewall included with Windows XP, 
does not use security zones; it 
controls all TCP/IP communications in 
the same way. If you use ICF on the 


network connection that connects your 
computer to the LAN, you'll need to 
use another protocol, such as IPX/SPX 
or NetBEUI, for file and print sharing. 
For details, see Protocols and Other 
Software Components. 


One type of exploit that outbound filtering is 
likely to prevent is your computer's participation 
in a DDoS attack. Most firewalls are configured to 
block the ports used by known DDoS tools. In 
addition, should you inadvertently install such a 
tool in the guise of a Trojan horse (by opening a 


malicious e-mail attachment, for example), a 
firewall with outbound application filtering will 
prevent its use unless you explicitly grant it 
permission. 


In addition to stopping Trojan horse programs, 
application-based outbound filtering can be used 
to stop “spyware” programs from reporting 
information back to the publisher. For example, 
some privacy activists are concerned about 
recent versions of Windows Media Player, 
including the version that comes with Windows 
XP. Researchers discovered that when you play a 
CD or a DVD, Media Player connects to the 
Internet to download the disc name and track 
information, which it stores on the computer. 
(Although the information is downloaded for your 
convenience, you might be concerned that others 
can use this information to see which discs you've 
played.) At the same time, Media Player 
transmits an identifying number; presumably this 
identifier could be tied with the names of discs 
you've played so that marketers can offer songs 
and videos from artists that might interest you. If 
you view this as an invasion of privacy, configure 
a rule to block Media Player from accessing the 
Internet. (Of course, blocking Media Player’s 
Internet access breaks its ability to display 
information about CD titles and songs; you might 
reasonably conclude that the convenience 
outweighs any privacy risk.) 


Some personal firewalls come with a 
large number of predefined rules or 
automatically generated rules that 
allow certain applications to access the 
Internet without ever asking your 
permission. The danger of this 
convenience is that the developer who 


defines the rules might not share your 
standards for determining which 
programs should be given access. Be 
very wary of a firewall program’s 
“automatic rule generation” feature. 
Instead, configure the program so that 
it asks for confirmation the first time a 
program attempts access. (This 
confirmation prompt is sometimes 
referred to in a program’s 
documentation as a “rule wizard,” 
“rule assistant,” or “learning mode.”) 
This one-time task, which usually 
involves only a single click per 
program, ensures that you control 
which applications have access. 


Some firewalls, including Internet 
Connection Firewall included with 
Windows XP, do not provide outbound 
traffic filtering. Whether that’s a 
significant limitation is subject to 


debate. For information about some of 
the problems with outbound traffic 
filtering, see the sidebar “Firewalls Are 
Vulnerable Too—Especially for 
Controlling Outbound Traffic.” 


No firewall is impervious to attack. A good 
firewall, however, provides yet another barrier, 
another defensive layer. Although a dedicated 
attacker might ultimately be able to penetrate a 
firewall, either because of its inherent 
vulnerabilities or improper configuration, upon 
encountering yours he’s more likely to move on 
to easier prey. 


Learn more about firewall 
technology 


The National Institute of Standards 
and Technology has published an 
excellent paper on firewall concepts, 
implementation, and administration 
titled “Guidelines on Firewalls and 
Firewall Policy” (NIST Special 
Publication 800-41). You can download 
it from 

http://csrc. nist.gov/publications/nistp 
ubs/800-41/sp800-41.pdf or you can 
order it from the Superintendent of 
Documents, U.S. Government Printing 
Office, Washington, DC 20402. 


Firewalls Are Vulnerable, Too— 
Especially for Controlling 
Outbound Traffic 


Several industrious hackers (good 
guys as well as bad guys) have 
developed methods with which to 
point out vulnerabilities in firewalls or 
to bypass them altogether. Outbound 
traffic detection seems to be the 
weakest feature in many firewall 
programs. (Remember too that some 
firewalls, including ICF, make no 
attempt whatsoever to monitor 
outbound traffic. ) 


Some of the earliest demonstrations 
showed that by merely changing the 
file name of a devious program to that 
of a trusted program (such as 
Iexplore.exe, the executable file for 
Internet Explorer), a devious program 
could penetrate the firewall and send 
out information without your 
knowledge or permission. Steve 


Gibson, president of Gibson Research 
Corporation, developed a simple 
program called LeakTest to 
demonstrate this weakness; you can 
read about it and try it yourself by 
visiting http://grc.com/It/leaktest.htm. 
Even the latest versions of some 
firewalls still fail this test. (Current 
versions of all the firewalls listed in 
this chapter, however, provide 
protection against this vulnerability. 
Most do this by storing a 
cryptographic signature—sometimes 
called an MD5 hash—of each trusted 
program along with the program’s 
name. A program with the correct 
name but an incorrect signature 
generates a warning instead of 
allowing information to pass out of 
your computer.) 


After firewall vendors patched that 
simple oversight, hackers developed 
ways to effectively attach malware to 
programs that are allowed to connect 
to the Internet. Programmer Robin 
Keir developed a program that 
manages to attach itself to a Web 
browser (a program that virtually all 
firewalls are configured to trust) asa 
dynamic link library (DLL). You can 
read about his program, called 
FireHole, at 
http://keir.net/firehole. html. Security 
researcher Bob Sundling has 
developed TooLeaky 
(http://tooleaky.zensoft.com), another 
proof of concept demonstration that 
achieves similar results. 


A more recent proof of concept 
demonstration called BackStealth 
allows a (potentially malicious) 
program to run in the context of the 
firewall itself. Using the same 
technique, a malicious program can 
connect to the Internet and send or 
receive information without being 
intercepted or even detected by the 
firewall. For more information about 
this type of attack, visit the Web site 
of its discoverer, Paolo Iorio, at 
http://www. paoloiorio.it/backstealth.h 


tm 


It’s important to recognize that 
hackers will continue to pound on 
firewalls—and will continue to find 
vulnerabilities. (Like Windows itself, 
firewall programs are usually patched 
by their publisher soon after a 
vulnerability is discovered. You'll want 
to periodically visit your firewall 
vendor’s Web site to check for updates 
and patches.) TooLeaky developer Bob 
Sundling concludes that “the added 
protection provided by outbound 
filtering is entirely illusory,” adding, “if 
a firewall is going to allow some 
program to transmit and receive data 
over the Internet, and that program 
allows other programs to control its 
actions, then there’s no point in 
blocking anything at all.” (Most 
security experts don’t share his bleak 
outlook, instead concluding that some 
protection is better than no 
protection.) 


The first requirement for an attacker 
to exploit vulnerabilities such as those 
demonstrated by LeakTest, FireHole, 
TooLeaky, and BackStealth is to 
execute a program on your computer 
—which is something you can prevent, 
by not executing untrusted programs 
and by promptly patching security 
holes. This bears repeating: An 
attacker must place a program on 
your computer (for example, by e-mail 
or by offering an attractive-sounding 
program on a Web site) and then 
persuade you to run the program. 
Don’t succumb! Use an up-to-date 
antivirus program to detect malware 
that you inadvertently download, keep 
your e-mail program in the Restricted 
Sites zone, and never open 
unexpected executable attachments. 
Properly configured antivirus software 
should detect a malicious program 
when it’s downloaded to your 
computer and, if you happen to 
execute it in spite of the warnings, 
when it performs malicious activity. 
For information about antivirus 


Viruses, Worms,_and Trojan Horses.” 


Who Needs a Firewall? 


In reality, any computer that’s connected to the 
Internet needs firewall protection. Always-on 
broadband connections (such as cable, DSL, and 
satellite) are perhaps more vulnerable to attack 
than dial-up connections. Because of shorter 
connection times and assignment of a different IP 
address with each connection, dial-up 
connections provide something of a moving 
target. In addition, because of their slower speed, 
dial-up connections are less attractive to some 
attackers (depending on the attacker’s goal). 


Nonetheless, you should seriously consider 
firewall protection for 


e A computer connected to the 
Internet via a dial-up connection 


e A computer connected to a cable 
modem or DSL modem 


e A computer that serves as an 
Internet gateway for other 
computers on a network (for 
example, by using Internet 
Connection Sharing) 


e Computers that are connected to a 
hub that is also connected to a 
cable modem or a DSL modem 


In short, any computer that is connected directly 
to the Internet should use a firewall. Computers 
that connect to the Internet through another 
computer on a network do not need to have a 
firewall installed. (In fact, firewalls in this type of 
setup can create additional complications.) 
However, you might find it useful to install a 


personal firewall such as ZoneAlarm Pro on each 
network workstation even when the network’s 
Internet gateway is protected; the second 
defensive layer offers additional features (such as 
pop-up ad blocking) and additional protection. 
For more information about firewall protection in 
a networked environment, see Chapter 15, 
“Sharing_an Internet Connection.” 


A sensible defensive strategy has 
multiple layers, including password 
protection, NTFS permissions, 
antivirus protection—and a firewall. 
And it can make sense to have a 
personal firewall on a workstation in 
addition to a hardware firewall device 
or network protection such as a router 
or a proxy server. But you should not 
install more than one software firewall 
on a single computer. The programs 
are likely to step all over each other as 
they attempt to be the first to 
examine each packet that enters or 
leaves the computer—and you’re likely 
to end up without a working 
connection. 


Using Internet Connection Firewall in 
Windows XP 


If you have Windows XP, you already have a 
personal firewall, called Internet Connection 
Firewall (ICF). ICF is a stateful-inspection packet 
filter that is easy to set up and configure, and it 
effectively blocks attacks from outside your 
computer. 


When you establish an outbound connection, ICF 
permits only responses that match information in 
its state table. In other words, it rejects any 
incoming packet that isn’t associated with a 
previous outgoing SYN or ACK packet. For more 
information about how this works, see Stateful- 
Inspection Packet Filtering. 


ICF drops any unsolicited incoming packets and 
terminates the connection unless both of the 
following conditions are true: 


e The packet is addressed to a port 
on which you allow incoming 
connections. For details, see 
Allowing Incoming Connections. 


The packet has only the SYN flag 
turned on. 


When ICF blocks an unsolicited inbound 
connection because it doesn’t meet both criteria, 
it does so silently; it does not respond at all. 
Because ICF operates in so-called stealth mode, 
port scanners see nothing when they attempt to 
get into your computer. The only ports that 
generate any response to a probe are ones that 
you open for incoming connections. 


Going Stealth 


Whether a firewall allows or blocks a 
communication attempt, by 
convention it replies to the initiating 
computer, reporting the port as either 
open or closed. That convention was 
established back in the earlier, 
friendlier days of the Internet. It was 
more than good manners; sending an 
immediate response let the requesting 
computer know the port’s status. 


But now that port scanners are readily 
available to every script kiddie and 
other attacker, many security experts 
recommend not responding to port 
probes. Because the port scanner 
receives no response, it can’t tell 
whether your computer is active or 
unplugged—or even whether it exists 
at all. Many personal firewalls call this 
“stealth mode.” Although a port that is 
closed (or even a properly configured 
server behind an open port) should be 
safe, it might entice an attacker to 
attempt an intrusion. 


In addition to improved security, you 
should derive a small amount of 
satisfaction from having stealth ports. 
That’s because the attackers’ port 
probes will actually be slowed down as 
they wait in vain for a response. 


Enabling Internet Connection Firewall 


The best way to enable ICF is by using the 
Network Setup Wizard. Even if you consider 


yourself a bona fide Windows expert, you should 
still run this wizard, which performs a host of 
essential configuration duties, as we explain in 
Adding Firewall Protection. If you have already 
run the wizard and you want to set up ICF 
manually, follow these steps: 


1. In Control Panel, open Network 
Connections (in the Network And 
Internet Connections category). 


2. Right-click the connection you want 
to protect—the one that connects 
your computer to the Internet—and 
choose Properties. 


If you use an analog modem for 
dial-up connections, this will be 
your Dial-Up Connection. If you 
have a DSL line or cable modem, 
look in the LAN Or High-Speed 
Internet group; if you have trouble 
identifying which icon belongs to 
your Internet connection, follow the 
advice in “Tell Your Connections 
Apart.” 


3. Click the Advanced tab, and select 
the check box under Internet 
Connection Firewall. 


al 


Troubleshooting 


An error occurs when you try to 
enable ICF. 


After you click OK in the connection 
properties dialog box (or in the 
Advanced Settings dialog box for ICF), 
you might see an error message. 
Open the Services snap-in (type 


services.msc at a command prompt 
or open Control Panel, Performance 
And Maintenance, Administrative 
Tools, Services), and double-click the 
Internet Connection Firewall 
(ICF)/Internet Connection Sharing 
(ICS) service. Set its startup type to 
Automatic (so that it starts 
automatically the next time you run 
Windows), and then click the Start 
button (so that it starts immediately). 


Some network configurations preclude 
the use of ICF. For more information, 
see Adding Firewall Protection. 


At this point, you can click OK; ICF is enabled 
and your computer is protected. 


Allowing Incoming Connections 


If you want to allow certain types of incoming 
connections, click the Settings button on the 
Advanced tab of the properties dialog box for an 
ICF-protected network connection. The Advanced 
Settings dialog box appears, as shown in Figure 
12-4. 


“-Figure 12-4, Items on the Services tab 
enable Internet users to penetrate the 
firewall to connect to services running on 
your computer. 


The Services tab displays a list of services that 
you can allow Internet users to access on your 
network; each item in the list represents a 
specific port number. Selecting any of these 
services tells ICF to allow incoming connections 
on the service’s port. 


Items on the Services tab are 
restrictions on incoming requests and 
do not affect outgoing use of the 
services. The setting of the Post-Office 
Protocol Version 3 (POP3) item in this 
list, for example, has no bearing on 


your ability to access a POP3 server at 
your ISP. But if you’re running a POP3 
server that you want outside users to 
be able to access, you'd select the 
check box for this item. 


Select the check box for any service on your 
network that you want to be available to users on 
the Internet. For example, to allow access to a 
Web server, select the Web Server (HTTP) check 
box. Doing so opens a dialog box in which you 
can specify the computer on your network that 
will receive the Web server requests. (See Figure 
12-5.) In the case of a stand-alone system, you 
should use the local computer name, or you can 
use the name /oca/host instead. If the Web server 
is running on another computer on your network, 
enter its name; outside users direct their Web 
requests to your Internet gateway, and ICF 
redirects those requests to the computer you 
specify. 


“-Figure 12-5. The only item you can 
change on the predefined services is the 
name of the computer that hosts the service. 


If the service or port that you want to be 
available isn’t listed on the Services tab, you can 
create a new entry. Click the Add button, anda 
Service Settings dialog box appears. Unlike in the 
dialog box for predefined services, in this dialog 
box you can edit all fields. Suppose you want to 
add support for an incoming connection to control 
the computer using PC Anywhere, for example. 


PC Anywhere version 9 requires the use of two 
different ports (TCP 5631 and UDP 5632); you 
must create a separate entry for each port. The 
details for the TCP port are shown in Figure 12-6. 


“-Figure 12-6. To add access to a service 
such as PC Anywhere, you must provide the 
port numbers. If the service requires multiple 
ports, create an entry for each port. 


You can enter any text you like in the Description 
Of Service box. In the two port number boxes, 
enter the port number associated with the service 
you're running. If you don’t know the number, 
you'll need to refer to the documentation for the 
software that runs the service. (Ordinarily, you 
set the external and internal ports to the same 
number. The separate fields enable port 
redirection, which is seldom used.) You must also 
select a protocol, which you can find wherever 
you find the appropriate port number. Most 
programs use TCP, but many multimedia 
programs use UDP. 


Troubleshooting 


A service doesn’t work properly 
after you enable ICF. 


Internet Connection Firewall is very 
effective—sometimes too effective. For 
example, after turning on ICF you 
might find that you can’t access some 
services on your network that you 
were previously able to use. The most 
common reason is that ICF is blocking 
a port to which you need access. ICF 
logs can help you find the problem. By 
examining the logs, you can 
determine the port number and add it 
to the list that ICF will open. For 


details about ICF logs, see Configuring 
Internet Connection Firewall Logging. 


Table 12-1 shows the details of the services 
predefined in ICF that are available on the 
Services tab, as well as details of ports you must 
open to use certain Windows Messenger features. 


Table 12-1. Commonly Used Ports for Incoming 
Connections 


Description Port Protocol 
Services predefined in ICF 


FTP Server 21 TCP 


Internet Mail Access 220 TCP 
Protocol Version 3 (IMAP3) 


Internet Mail Access 143 TCP 
Protocol Version 4 (IMAP4) 


Internet Mail Server 25 TCP 
(SMTP) 
Post-Office Protocol 110 TCP 


Version 3 (POP3) 


Remote Desktop (also 3389 TCP 
used by Windows Terminal 

Services and by Remote 

Assistance in Windows XP) 


Secure Web Server 443 TCP 
(HTTPS) 


Description Port Protocol 


Telnet Server 23 TCP 
Web Server (HTTP) 80 TCP 
Windows Messenger Services 


Windows Messenger file 6891- TCP 
transfer (you need only a 6900 
single port to receive a 

file; opening all ports in 

this range allows you to 

receive up to 10 files 

simultaneously) 


Whiteboard and 1503 TCP 
application sharing in 

Windows Messenger and 

NetMeeting 


The only way to get full Windows 
Messenger capability (that is, instant 
messaging, audio, video, application 
sharing, whiteboard, file transfer, and 
remote assistance) across the Internet 
is to have Universal Plug and Play 
(UPnP)-compatible gateways at both 
ends of a connection. The most 
problematical features are audio and 
voice communication, which use 
dynamically assigned ports in the 
range of 5004 through 65535. Without 
UPnP, the two computers cannot 
negotiate a connection through 
firewalls or network address 


translation (NAT) devices. The good 
news is that ICF and Internet 
Connection Sharing (ICS) in Windows 
XP are UPnP compatible. For more 
information about UPnP, see Why Your 
Router Should Be UPnP-Compatible. 


Configuring ICMP Options 


TCP and UDP are used to transmit data. But 
Internet communication also relies on Internet 
Control Message Protocol (ICMP) to communicate 
status, control, and error information between 
computers. In addition, widely used 
troubleshooting tools such as Ping and Tracert 
use ICMP to establish network connectivity. 
Because ICMP carries no data, it can’t be used to 
break into your machine and steal information. 
But hackers do use ICMP messages for scanning 
networks, redirecting traffic, and carrying out 
DoS attacks. 


By default, ICF blocks most types of outgoing and 
incoming ICMP messages. With options on the 
ICMP tab of the properties dialog box for an ICF- 
protected network connection (see Figure 12-7), 
you can allow certain types of ICMP packets. 
Table 12-2 provides more information about 
these options. There’s seldom a reason to enable 
any of these options except for troubleshooting 
purposes, and they can expose your computer to 
certain security risks. 


“-Figure 12-7. ICMP messages are often 
used for network debugging. 


Table 12-2. ICMP Options 


Option Description 


Option 


Allow 
incoming 
echo 
request 


Allow 
incoming 
timestamp 
request 


Allow 
incoming 
mask 
request 


Allow 
incoming 
router 
request 


Allow 
outgoing 
destination 


unreachable 


Description 


With this option enabled, your 
computer responds to Ping 
(echo) requests. This option is 
the one most likely to be 
useful for ordinary 
troubleshooting and is one of 
the few you should consider 
enabling. 


When this option is enabled, 
your computer acknowledges 
certain requests with a 
confirmation message that 
indicates the time the request 
was received. 


When this option is enabled, 
your computer listens for and 
responds to requests for 
information about the network 
to which it is attached. 


When this option is enabled, 
your computer responds to 
requests for information about 
its routing tables. 


When this option is enabled, 
your computer responds to an 
unsuccessful attempt to reach 
it or another computer on your 
network with an explanatory 
acknowledgment of the failure. 


Option 


Allow 
outgoing 
source 
quench 


Allow 
outgoing 
parameter 
problem 


Description 


Enabling this option allows 
your computer to send source 
quench messages. A source 
quench message is a request 
to the sending computer to 
slow down its transmission 
rate because your computer 
can’t handle packets as quickly 
as they arrive. In rare 
instances, this option can be 
useful for solving certain 
communications problems. 


When your computer receives 
data with an incorrect header, 
it discards the data; enabling 
this option allows your 
computer to report information 
back to the sending computer 
when this occurs. This option 
can be useful for solving 
certain communications 
problems. 


Option Description 


Allow When a data transmission 
outgoing requires more time than 

time allowed (based on the time to 
exceeded live value associated with each 


packet) and your computer is 
therefore unable to reassemble 
a fragmented datagram, it 
must discard the datagram. 
When enabled, this option 
allows your computer to report 
back to the sender with a 
“time exceeded” message. This 
option can be useful for solving 
certain communications 


problems. 
Allow When enabled, this option 
redirect allows your computer to 


respond to a request to 
redirect data to a different 
gateway. (The intent of this 
ICMP message is to allow 
gateway computers to direct 
traffic to a shorter path—but 
it's easy to imagine how this 
feature can be abused.) 


Choosing a Third-Party Personal 
Firewall 


If you don’t have Windows XP or if you’re looking 
for features that aren’t included in Internet 
Connection Firewall, you need to consider other 
software publishers. You'll find no shortage of 
firewalls, intrusion detection systems, port 
monitors, and other programs that purportedly fill 
this need. Unfortunately, many such programs 
are electronic snake oil that, because they 
provide a false sense of security or because they 
have widely known (but unpatched) 
vulnerabilities, can actually be more dangerous 
than using no firewall at all. To help separate the 
good from the bad, ask yourself the following 
questions: 


Does the program use application-based 
outbound filtering? Properly configured, such 
programs can prevent Trojan horses, spyware, 
and other untrusted programs on your computer 
from accessing the Internet. 


How difficult is it to configure rules? Some 
programs with application-based filtering have 
preconfigured rules—but these rules might not be 
configured the way you would like. Better 
programs provide a combination of preconfigured 
rules and an easy way to add or modify rules. 


Does the program use security zones? A 
program that lets you specify trusted IP 
addresses provides easy LAN connectivity as well 
as secure Internet connections. 


Does the program use stealth mode? Stealth 
mode can make your computer invisible on the 
Internet; an attacker has no way of discerning 


whether your computer is connected to the 
Internet. 


Is the program compatible with ICS? If you 
use Internet Connection Sharing, a feature in 
Windows that allows you to use a single 
computer on your network as a gateway to the 
Internet that all computers on the network can 
share, be sure that the firewall supports ICS. Not 
all do. 


Does the program offer other, nonfirewall 
features? Many programs in this category are 
more than simple firewalls; some publishers 
strive to offer a one-stop Internet protection 
package. You'll need to decide whether you view 
that as a convenience or a “feature bloat.” Among 
the available features: some programs perform 
content filtering (for example, to block 
pornography), advertisement blocking, e-mail 
filtering (to isolate messages with active content 
or potentially dangerous attachments), and 
cookie management. 


Is the program certified by ICSA Labs? As it 
does for antivirus programs and other security- 
related products, independent tester ICSA Labs 
identifies and certifies products that its analysts 
deem effective. Without relying on advertising 
hype, ICSA Labs checks each product to confirm 
its ability to be installed by a nonexpert user, 
support Microsoft networking capabilities while 
providing protection, support concurrent dial-up 
and LAN connectivity, maintain consistent 
protection across multiple successive dial-up 
connections, block common external network 
attacks, restrict outgoing network 
communication, and log events in a consistent 
and useful manner. You can find information 
about the certification program, as well as a link 


to an up-to-date list of certified software, at 
http://www. icsalabs.com/html/communities/pcfir 
ewalls/index.shtml. 


How much does the program cost? Evaluating 
the cost is not as simple as it might seem. Some 
publishers set different prices depending on who 
is using the software and where. (For example, 
some publishers charge only business users, 
allowing home users to use their product for 
free.) You'll also need to determine which 
computers on your network need firewall 
protection and whether you'll need to purchase a 
separate license for each computer. (Some 
publishers offer a network license that lets you 
protect all computers on your local area 
network.) And some personal firewall publishers 
have embraced the trend toward subscription- 
based licensing; be sure to include this in your 
cost calculations. Subscriptions for some products 
entitle you to updated data files (for example, 
predefined rules or lists of sites for content 
filtering or ad blocking) as well as program 
updates. 


Is a trial version available? The best way to 
evaluate a program is to try it yourself. Many 
personal firewall programs are available for 
download and limited-time trial. 


The following pages provide information about 
nine leading makers of personal firewall software. 
The list is presented alphabetically and is not 
comprehensive. All of the products listed here, 
however, are generally held in high regard by 
security experts. Each company listed offers 
personal firewall software that is compatible with 
Windows 2000 Professional, Windows XP 
Professional, and Windows XP Home Edition. 


Find current comparative 
information online 


You can find additional lists of 
personal firewalls, along with reviews 
of current versions, at 


http://www. firewallguide.com/softwar 


e.htm. Agnitum, one of the vendors in 
the following list, publishes a handy 
(albeit slightly biased) feature 
comparison chart, which you can view 
at 

http://www. agnitum.com/products/ou 
tpost/compare.html. 


Agnitum, Ltd. 


Products: Outpost Firewall FREE, Outpost 
Firewall PRO 


At a glance: Outpost is a full-featured firewall, 
and it can be extended through the use of plug- 
ins, which can be developed by independent 
programmers. 


Web site: http://www.agnitum.com 
Deerfield.com 


Products: Personal Firewall, VisNetic Firewall 


At a glance: Although it’s more expensive than 
many products listed in this chapter, VisNetic 
Firewall includes many security and logging 
features that are usually found only on expensive 
corporate firewall products. 


Web site: http://www.deerfield.com 


Internet Security Systems, Inc. 


Products: BlackICE PC Protection 


At a glance: BlackICE Defender (the product’s 
original name) was an early leader in the 
personal firewall business. The early versions 
focused on intrusion detection, but recent 
versions also include outbound filtering and 
application monitoring. 


Web site: http://www.iss.net 
Kerio Technologies Inc. 


Products: Kerio Personal Firewall 


At a glance: The developers who created the 
first version of Tiny Personal Firewall went on to 
produce Kerio Personal Firewall. It monitors 
outbound traffic and its stealth mode hides your 
computer from outsiders. The software is free for 
home use, and business users may download and 
install it for free evaluation. 


Web site: http://www. kerio.com 
McAfee.com Corporation 


Products: Personal Firewall, Personal Firewall 
Plus 


At a glance: The McAfee.com firewalls are 
offered as an online subscription service. In 
addition to firewall protection, these products are 
integrated with Hackerwatch.org, a Web site that 
monitors hacker activities. 


Web site: http://www.mcafee.com 
Sygate Technologies, Inc. 


Products: Sygate Personal Firewall, Sygate 
Personal Firewall PRO 


At a glance: Sygate pioneered the use of stealth 
mode, and its firewalls continue to be technology 
leaders. Sygate Personal Firewall is free for 
personal use. 


Web site: http://soho.sygate.com 
Symantec Corporation 


Products: Norton Internet Security, Norton 
Personal Firewall 


At a glance: Norton Internet Security is a suite 
of components, which includes Norton Personal 
Firewall as its firewall component. In terms of 
disk space, it’s one of the largest you can find— 
but it’s packed with features that control every 
aspect of your Internet connections. 


Web site: http://www.symantec.com 
Tiny Software, Inc. 


Products: Tiny Personal Firewall 


At a glance: True to its name, this software 
requires a minuscule amount of disk space. But it 
works as well as the others and is free for 
personal use. 


Web site: http://www. tinysoftware.com 
Zone Labs, Inc. 


Products: ZoneAlarm, ZoneAlarm Pro 


At a glance: Almost since the inception of the 
personal firewall category, ZoneAlarm has been a 
leader in capabilities, effectiveness, and market 
share. In addition to its long-established use of 
security zones and application-based outbound 


filtering, the newest versions incorporate ad 
blocking, cookie controls, and more. 


Web site: http://www.zonelabs.com 


Using a Hardware Firewall Appliance 


If you have more than one computer connected 
to the Internet, you should consider using a 
hardware firewall appliance—also known as a 
router, residential gateway, or network address 
translation (NAT) device. Firewall appliances 
provide good protection from external attacks 
and can be a terrific complement to a personal 
firewall program. (As noted earlier, some personal 
firewalls filter outgoing traffic as well as incoming 
traffic; most hardware firewalls for home and 
small business use are unable to perform these 
tasks in any meaningful way.) 


One of the most effective tricks that a firewall 
appliance adds to your defensive measures is 
network address translation. In short, a NAT 
device uses a single IP address to communicate 
with the Internet, and it assigns an IP address 
within a range of private addresses to each 
computer on your network. The NAT device 
translates each private IP address into its public 
address, never exposing your computers’ 
addresses to the network. For more information, 
see How Network Address Translation Works. 


For information about selecting and 
configuring a firewall appliance, see 


Sharing_an Internet Connection 
Through Hardware. 


Two good sources of information about 
firewall appliances, including up-to- 
date reviews and analysis, are 
http://www. practicallynetworked.com 
and 


http://www. firewallguide.com/hardwar 
e.htm. 


Identifying Intruders 


If you carefully monitor the attempted attacks on 
your computer (some personal firewalls pop up a 
message box at each attempt), you'll soon be 
amazed—and perhaps terrified. Don’t be alarmed. 
Most of the intrusion attempts are random port 
scans by bored script kiddies, and they’re 
routinely rebuffed by your firewall. In fact, you'll 
probably want to disable those automatic alerts. 


Most personal firewall programs maintain a log of 
blocked connections and intrusion attempts. 
Figure 12-8 shows the log page in ZoneAlarm 
Pro. Other programs provide similar information, 
which you can use to track down intruders. 


Be on the lookout for repeat offenders. The 
reporting capabilities of personal firewalls vary 
widely, and some make this task much easier 
than others. In ZoneAlarm, for example, you can 
sort by any field in the log, including the Source 
IP or Count (number of times) columns. (These 
columns don’t appear in Figure 12-8; you need to 
scroll to the right.) 


“-Figure 12-8. ZoneAlarm Pro provides 
details about each entry in a box at the 
bottom of the window. 


Armed with the intruder’s IP address, you can 
use any of several Whois utilities available on the 
Internet to try to figure out the intruder’s 
identity. Some firewall programs make it even 
easier, by including a link to such information 
from within the firewall logs. If you use 
ZoneAlarm, several add-on programs are 
available that make it easier to analyze the 
information in the logs and follow up by notifying 


an intruder’s ISP with a single click. Among the 
best: 


e ZoneLog Analyser, from Matt’s 
Computer Solutions 


(http://zonelog.co.uk) 


e ClearZone, from Brady & 
Associates, LLC 
(http://www. y2kbrady.com/firewall 
reporting/clearzone/) 


Security expert Robert Graham (a cofounder of 
Network ICE, the company that produced 
BlackICE Defender) has published a document 
that explains the information in firewall logs. This 
lengthy document, which you can find at 
http://www.robertgraham.com/pubs/firewall- 
seen.html, identifies a number of port probes and 
other suspicious activity. 


Configuring Internet Connection 
Firewall Logging 


When Internet Connection Firewall, the firewall 
included with Windows XP, blocks traffic, it 
doesn’t display an on-screen alert as some 
personal firewalls do. However, you can configure 
ICF to store a record of its activity in a log file. 
When you turn on the logging option in ICF, it 
maintains a log of each connection that was 
blocked. It can also maintain a list of successful 
connections, but that tends to create very large 
log files, so it’s not a good option for long-term 
use. The logs are useful for both security auditing 
and debugging. For purposes of security auditing, 
you can see which IP addresses on the Internet 
are probing your computer and take action 
against them if necessary. 


To configure ICF logging, follow these steps: 


1. In Control Panel, open Network 
Connections (in Network And 
Internet Connections, if you use 
Category view), and double-click 
the connection you want to protect 
—the one that is connected to the 
Internet. 


2. Click the Properties button for the 
connection, and then click the 
Advanced tab. 


If the check box in the 


Internet Connection 
Firewall box is not 
selected, you haven't 
enabled ICF. You'll need 
to configure other 


settings besides logging; 
for details, see Enabling 
Internet Connection 
Firewall. 


3. Click the Settings button, and then 
click the Security Logging tab. 


4. Select Log Dropped Packets, as 
shown in Figure 12-9. 


“-Figure 12-9. Always log dropped packets 
(packets that are blocked by the firewall) so 
that you can determine whether the access 
was an attempted attack or a legitimate 
connection that was denied. 


Examining Internet Connection Firewall 
Logs 


By default, the ICF log is named Pfirewall.log and 
is kept in the %SystemRoot™% folder. For a quick 
look at the file, you can open it with Notepad, as 
shown in Figure 12-10. Each line in the file 
represents an event that ICF has logged. Fields 
on the line are separated by spaces, and the 
Fields entry near the top of the file defines the 
name of each field. 


“-Figure 12-10. The ICF log can tell you 
what traffic is being blocked, providing useful 
information for security audits and 
debugging. 


For more detailed analysis, you might want to 
import the ICF log into Microsoft Excel. To do this, 
follow these steps: 


1. Start Excel, and choose File, Open. 


2. In the Files Of Type box, select All 
Files; then select the firewall log 
file. If ICF is running, as it normally 
is, Excel warns you that the file is in 
use. Select the Read Only option to 
open the file. Excel starts the Text 
Import Wizard to convert the file to 
a spreadsheet. 


3. Select Delimited text. Start the 
import at row 4, which defines the 
field names, and then click Next. 


4°"Change the delimiter to Space, 
and be sure the option Treat 
Consecutive Delimiters As One is 


selected. The columns should look 
like this: 


5. Click Next. You can fine-tune 
the import process in this step, but 
Excel does a good job using its 
default General type. 


6°°Click Finish. When the import is 
complete, right-click cell A1, which 
should contain the string “#Fields:”, 
choose Delete, and then select Shift 
Cells Left. Click OK to put the 
column headings over the correct 
fields. 


You can save the imported spreadsheet to a new 
file or use Excel’s analysis and sorting features to 
analyze the file. Figure 12-11 shows an imported 
log. 


“-Figure 12-11. After you delete cell A1, the 
column headings are correctly aligned, and 
the file is ready to be saved and analyzed. 


The AutoFilter feature in Excel 
provides and easy way to analyze 
log data. To use it, select the 


entire table and choose Data, 
Filter, AutoFilter. Then, click the 
arrow that appears by a column 
heading to filter the display. 


Fighting Back 


So what do you do if your computer is repeatedly 
attacked? You can track down and report the 
offenders to their ISP. A few ISPs are responsive 
to well-documented complaints and willing to pull 
the plug on system abusers. Unfortunately, most 
large ISPs are swamped with reports, 
understaffed because of competitive market 
conditions, and rarely willing to deal with any 
complaint that doesn’t come from the FBI. But 
it’s worth a try. 


DShield (http://www.dshield.org), an 
organization sponsored by the highly regarded 
SANS Institute, tracks reports of intrusions. It 
compiles this information into interesting and 
useful reports that can alert you to trends in 
Internet attacks. But perhaps more important, 
DShield helps you to fight back by analyzing 
submitted log reports and, when the evidence is 
sufficient, contacting the ISP from which an 
attack originated. A message from DShield 
carries more credibility than a message from an 
unknown individual, so many ISPs take prompt 
action to disconnect the offender and remove any 
viruses from their servers upon receipt of such a 
message. 


You can also report an attack to law enforcement 
agencies. At this time, most law enforcement 
efforts are aimed at attacks on government and 
commercial computers; individuals are a much 
lower priority. You can learn more about your 
options and current policies by visiting the 
National Infrastructure Protection Center (NIPC), 
an arm of the Federal Bureau of Investigation 
(FBI), at 


http://www. nipc.gov/incident/incident.htm. At 
the NIPC site, you'll also find recommendations 
for protecting evidence and helping federal, state, 
or local law enforcement agencies investigate the 
incident. Its recommendations include the 
following actions: 


e Respond quickly. Traces are often 
impossible if too much time is 
wasted before alerting law 
enforcement. 


e If unsure of what actions to take, 
do not stop system processes or 
tamper with files. This may destroy 
traces of intrusion. 


e Use the telephone to communicate. 
An attacker may be capable of 
monitoring e-mail traffic. 


e Make copies of files an intruder may 
have altered or left. If you have the 
technical expertise to copy files, 
this action will assist investigators 
as to when and how the intrusion 
may have occurred. 


e DO NOT contact the suspected 
perpetrator. 


Chapter 13 


Protecting Your Privacy 


The Internet is the greatest research tool ever 
invented. With it, you can learn almost anything 
—the symptoms of obscure diseases and their 
treatments, the names and birthdates of your 
distant ancestors, the favorite restaurants of your 
favorite restaurant critics—you name it. While 
you're out roaming and combing, however, keep 
in mind that parties on the other side of your 
screen are also busy conducting research. The 
object of their study is you. Unless you take 
certain precautions, putting the world at your 
fingertips can also mean having the world in your 
face. 


Not all of the parties interested in you and your 
activities are located somewhere out in the ether. 
One or more could be down the hall or in the 
next cubicle. According to a recent study by the 
Privacy Foundation 

(http://www. privacyfoundation.org/workplace/tec 
hnology/extent.asp), more than a third of the 
people in the United States who use the Internet 
in their daily work are under some form of 
continuous (not just random or ad hoc) 
surveillance by their employers. Network packet 
sniffers, proxy servers, and other employee- 
monitoring tools are inexpensive, effective, and 
virtually impossible for the sniffee to detect. 


In this chapter, we survey the major privacy 
hazards attendant on your computer use, at 
home and at work. We show you how to 
configure the privacy features in Microsoft 
Windows and Microsoft Internet Explorer and 
where to find alternatives that offer additional 
protection. Finally, we outline strategies for 


protecting what’s yours to protect and for 
avoiding embarrassment in circumstances where 
your privacy is, to some extent, already 
compromised. 


Security Checklist: Protecting Your 
Privacy 


Here’s a quick checklist of practices 
you might want to adopt to help keep 
the “researchers” at bay: 


e Make sure that any 
Internet site requesting 
a credit card number, 
your Social Security 
number, or your driver’s 
license number is using 
a secure protocol such 
as Secure Sockets Layer 
(SSL) or Secure 
Electronic Transaction 
(SET). 


e Be suspicious of anyone 
requesting personal 
identification numbers 
via e-mail. If you must 
send such information 
via e-mail, use S/MIME 
(Secure/Multipurpose 
Internet Mail Extensions) 
or PGP (Pretty Good 
Privacy) encryption. (For 
information about 
encrypting e-mail, see 
Protecting_E-Mail from 
Prying_Eyes. ) 


e On any computer that’s 
not under your exclusive 
control, do not use 
Internet Explorer’s 
AutoComplete feature 
for forms or passwords. 
Decline offers from all 
Web sites to remember 
your logon credentials. 


e Teach your children how 
to surf the Web safely. 
In particular, be sure 
they understand that 
they should never reveal 
their real names or 
addresses on chat sites 
and never arrange face- 
to-face meetings with 
Internet contacts. 


e If you’re using Internet 
Explorer 5, upgrade to 
version 6 for its superior 
cookie management. 


e Establish a cookie policy 
that gives you an 
acceptable balance of 
convenience and privacy. 
As one possibility, you 
might block all third- 
party cookies, accept all 
session cookies, and 
accept or block 
persistent first-party 
cookies on a case-by- 
case basis, adding the 
names of trusted sites to 


your browser's per-site 
list so that you don’t 
continue to receive 
prompts for their 
cookies. (This approach 
is only one of many 
possibilities. Take the 
time to learn about the 
different types of 
cookies, as explained in 
“A Cookie Taxonomy,” 
and about your 
browser’s cookie-filtering 
options; then find the 
configuration that works 
for you.) 


Don’t give away 
information that isn’t 
requested. On Internet 
forms, fill out required 
fields only. 


Clear the Allow Sites To 
Uniquely Identify Your 
Player option in Windows 
Media Player. 


Acquire and use a 
spyware detector, such 
as Lavasoft’s free Ad- 
aware program. 


Assume that your 
computer activities at 
work, both online and 
offline, are being 
monitored. Don’t use 
your employer’s 
computer for personal 


business without your 
employer’s awareness 
and consent. 


Protecting Your Identity 


A thief who steals your identity can turn your life 
upside down. By appropriating information that 
uniquely identifies you—your mother’s maiden 
name, the PIN for your online banking system, 
your driver’s license number, and (for residents of 
the United States) your Social Security number— 
the crook can pretend to be you, with disastrous 
effects. Because many financial institutions and 
businesses accept a Social Security number as 
positive proof of identity, the criminal can apply 
for credit in your name, transfer money from 
existing credit cards and bank accounts, sign up 
for telephone service, and even initiate legal 
proceedings such as bankruptcy. And thanks to 
the proliferation of online databases, cleaning the 
misinformation out of your credit report can take 
years. 


According to the U.S. Federal Trade Commission 
(FTC), identity theft is on the rise. Fortunately, 
you can take a number of steps to minimize your 
chances of becoming a victim. (The FTC 
maintains an excellent Web site on identity theft 
at http://www. consumer. gov/idtheft.) One way 
to keep a tight rein on your vital ID numbers is to 
make sure you never send them over a 
connection that isn’t secure. In this context, 
secure nearly always means that the connection 
between you and the remote party is encrypted 
via Secure Sockets Layer (SSL). Using a secure 
connection offers two types of protection: First, it 
guarantees that the information is encrypted 
during transmission so that no one can intercept 
it as it wends its way across the Internet. 
Second, it provides a way to identify the recipient 
Web site by checking the details of its certificate. 


Protect Yourself from Con Artists 


Identity thieves have access to a full 
bag of dirty tricks, including some that 
are decidedly low-tech in nature. Most 
of them involve simple “social 
engineering,” in which a con artist 
tries to fool a gullible or inattentive 
victim into giving up useful 
information. One popular scam uses e- 
mail messages to solicit vital 
information. The scammer blasts out 
hundreds or thousands of e-mail 
messages that appear to be from the 
recipient’s Internet service provider. 
According to the message, the ISP 
needs to update its billing records and 
asks for name, address, phone 
numbers, and credit card numbers. 
The responses, of course, go to the 
thief’s throwaway e-mail account. 
Even if only a handful of people are 
sucked in by the trick, the thief has 
come out ahead. 


Other, similar con jobs involve e-mail 
messages soliciting applications to 
refinance your mortgage at irresistible 
rates, phony e-commerce sites 
promising merchandise at prices that 
are too good to be true, and even 
phone calls from slick-talking shysters 
claiming to work for a bank or credit 
reporting agency. 


How can you keep from being duped? 
Treat the vital details of your personal 
and financial life with caution, and 
never hand them out unless you're 
absolutely, positively certain that the 


person asking for the information is 
legitimately entitled to it. Be especially 
suspicious of unsolicited offers that 
promise unrealistic returns. Above all, 
remember this: When in doubt, check 
it out. 


To verify that your connection is using SSL, look 
for the following: 


e The URL for the site should begin 
with Attps://, not http://. 


e A lock icon should appear in the 
status bar of your browser window 
(both in Internet Explorer and 
Netscape/Mozilla). 


Note that many commerce sites begin their 
interaction with you over a standard HTTP 
connection and switch to SSL only when you need 
to send personally identifying data. This design is 
sensible and improves performance by using the 
more complex SSL process only for pages that 
require encryption. Also, a Web designer can 
construct a page using frames, with the secure 
portion of the page in its own frame and the 
surrounding HTML code in a standard page. If 
you see a lock icon but the Address bar shows an 
http: prefix, right-click the portion of the page 
where you’re being asked to enter data, choose 
Properties, and inspect the Address and 
Connection information to be sure the 
transmission is secure. 


SSL is a secure protocol originally developed by 
Netscape and supported by all major Web 
browsers. The protocol employs a combination of 
public key cryptography, one-way hashing, and 
symmetric cryptography to ensure that data sent 


and received is intelligible only to the appropriate 
parties. The public key and hash components of 
this process are used first to authenticate the 
server and then to create and encrypt a key that 
is used for the rest of the transaction. Once these 
steps are complete, the actual transmission of 
your personal data is encrypted symmetrically 
because symmetric encryption is considerably 
faster than public key encryption. Each 
connection uses a new key (created by your 
browser, not by the server), and the key itself is 
encrypted asymmetrically, so you can be 
confident that your transaction is secure. (For 
more details about how digital certificates work, 
see What Are Digital Certificates?. ) 


In the initial “handshake” phase of the SSL 
connection, your browser uses the server’s 
certificate to confirm the server’s identity. You 
can inspect that certificate yourself if you have 
any doubts about the authenticity of the party 
involved in your transaction. To see the certificate 
in Internet Explorer, follow these steps: 


1. Right-click anywhere on the page 
(except on a link or graphic), and 
choose Properties from the shortcut 
menu. 


2. In the Properties dialog box, click 
the Certificates button. 


In Netscape 6.2/Mozilla 1.0, you can check a 
site’s certificate this way: 


1. Right-click anywhere on the page, 
and choose View Page Info from the 
shortcut menu. 


2. In the Page Info dialog box, click 
the Security tab. 


3. On the Security tab, click View. 


As Figure 13-1 shows, Netscape/Mozilla’s Security 
tab provides some useful information about the 
encryption used for the current connection. If 
your connection is not secure, this dialog box will 
tell you so in straightforward, nontechnical terms. 


“-Figure 13-1. Netscape/Mozilla’s Security 
tab describes the encryption used by your 
connection. 


SSL confirms the server’s identity but not yours. 
The remote server simply accepts that you are 
who you say you are. With credit card 
transactions, as long as your name, account 
number, expiration date, and billing address 
accord with the bank’s records, the transaction is 
considered valid. For banking and trading 
activities, your identity is authenticated by your 
logon credentials (typically a user name and 
password). 


Secure Electronic Transaction: An 
Alternative to SSL 


Unlike SSL, the Secure Electronic 
Transaction protocol (SET) does 
authenticate both parties involved in a 
credit card transaction. SET was 
designed by major credit card firms to 
be a more secure alternative to SSL. 
To date, SET has not found 
widespread acceptance—in part 
because it entails expensive retooling 
by merchants and requires purchasers 
to acquire certificates. Nevertheless, 
you might find sites whose 


transactions are secured by SET, as an 
alternative or in addition to SSL. SET- 
enabled sites are more prevalent in 
Europe than in the United States. 


You can feel doubly secure if you 
locate a Web-based merchant that 
uses SET, but don’t go out of your way 
looking for such sites. Perhaps the 
biggest reason that SET has not 
become commonplace is that SSL is 
sufficiently secure for the 
overwhelming majority of online 
transactions. SSL has a long track 
record, and most vendors and banks 
have found it to be more than 
adequately secure. 


In the United States, your liability for fraudulent 
credit card transactions is typically limited by law 
to $50. (The same protections don’t apply to 
debit cards: A thief can use a debit card to drain 
your entire bank balance, and you have no legal 
recourse.) Still, the hassle of dealing with stolen 
credit card credentials and canceling a 
compromised card is something that no one 
wants to undergo. As for banking and trading in 
stocks and online investment accounts, the fine 
print you agreed to when you set up your 
accounts almost certainly makes you responsible 
for any action that occurs under a valid logon, 
which means that losing control of your 
credentials is a potential catastrophe. 


In addition to using strong passwords, you can 
take the following steps to ensure control of your 
logon credentials: 


e If possible, restrict sensitive 
activities to computers over which 


you have complete physical control. 
(In other words, do your banking at 
home, not at work—if possible.) 


e Disable your browser’s password- 
memorizing feature. 


Never supply password or PIN 
information in an unencrypted e- 
mail message or Web-based form, 
in a newsgroup post, in a Windows 
Messaging (or other instant 
messaging) session, or in a chat 
room. 


Both Internet Explorer and Netscape/Mozilla can 
remember your logon IDs and passwords—and do 
so by default. This convenience is great if you're 
the only one using your computer, but it’s a 
hazard if you’re not. Unless you disable the 
feature, a user walking up to your computer 
might well be able to access vital accounts by 
guessing your user ID (or just pressing the Down 
Arrow key at a logon screen). If the guess is 
correct, the browser will dutifully supply the 
password. 


Manage passwords with user 
accounts 


Your Internet passwords and other 
private information are stored in 
encrypted form and are available only 
while your user account is logged on. 
Therefore, for best security, each 
person who uses a computer should 
have his or her own user account. And 
when leaving the computer 
unattended, you should either lock the 
workstation (the quickest way is to 


press the Windows logo key+L), log 
off, or shut down. 


In Internet Explorer, the feature that remembers 
passwords is called AuttoComplete. To turn it off, 
follow these steps: 


1. Choose Tools, Internet Options. 
2. Click the Content tab. 

3. Click AutoComplete. 
4. 


In the AutoComplete Settings 
dialog box (see Figure 13-2), clear 
the check boxes for Forms and User 
Names And Passwords On Forms. 


“-Figure 13-2. Do not use 
AutoComplete for forms or 
passwords if others have 
access to your computer and 
your user account. 


The corresponding feature in Netscape/Mozilla is 
called Password Manager. You can disable it as 
follows: 


1. Choose Edit, Preferences. 


2. In the Category section of the 
Preferences dialog box, double-click 
Privacy & Security to reveal that 
entry’s subheadings. (If they’re 
already visible, skip this step.) 


3. Select Web Passwords. 


4. In the Password Manager section of 
the dialog box, clear Remember 
Passwords For Sites That Require 
Me To Log In. 


Zap a single saved password 


If you occasionally share a computer 
with a trusted family member or 
coworker, you might decide that you 
can safely store some user names and 
passwords on your computer for the 
sake of convenience, but not for those 
sites that include sensitive personal or 
financial details, such as your bank or 
credit union. In this set of 
circumstances, you might opt to have 
Windows always require that you 
enter passwords for certain sites—an 
online bank, for instance. If you’ve 
saved a user name and password for a 
site and no longer want that 
combination to be available, you can 
remove that single entry. Navigate to 
the page that contains the logon form, 
and click in the box for your user 
name. Press the Down Arrow key to 
reveal the saved name (or a list of 
names, if you’ve saved more than 
one). Use the arrow keys to highlight 
the name, and then press the Delete 
key. Windows will prompt you to 
confirm that you want to delete both 
the user name and the saved 
password. To manage the complete 
collection of automatically saved 
information, download the free PC 
Magazine utility AutoWhat? 2 from 
http://www.pcmag.com/article/0,2997 
,S=14788a=23587,00.asp. 


Ensuring Your Children’s Safety 
and Privacy 


The Children’s Online Privacy Protection Act of 
1998 (COPPA) directed the FTC to develop 
various regulations governing the behavior of 
U.S. Web sites oriented toward children under the 
age of 13. You can read the text of the law and 
its resulting regulations, in the original legalese, 
at 
http://www.cdt.org/legislation/105th/privacy/cop 
pa.html and at 

http://www. ftc. gov/os/1999/9910/64fr59888. pdf 
, respectively. In English, the regulations, which 
went into effect in April 2000, are described at 
http://www. ftc.gov/opa/1999/9910/childfinal.htm 


. The key points of the act are as follows: 


e Web sites oriented toward children 
are required to include a link to a 
statement describing their 
information practices. The 
statement must tell who is 
collecting information, how the 
information will be used, and 
whether it will be disclosed to third 
parties. 


e Web sites must obtain “verifiable 
parental consent” for collecting 
information from children. This 
consent can take various forms, 
including postal mail or fax, a credit 
card number, or a digitally signed 
e-mail message. 


e Parents must be given the option to 
consent to Web sites’ data 


collection without allowing the sites 
to share that information with third 
parties. 


e No parental consent is required for 
certain transactions, such as the 
disclosure of a child’s e-mail 
address in connection with a one- 
time “homework help” request. 


The upshot of these rules is to bring parents into 
the initial interaction between children and the 
Web sites that cater to them. That’s a good thing, 
certainly; prior to COPPA, according to the FTC, 
only 24 percent of sites collecting personal data 
from children posted privacy policies, and only 1 
percent required parental consent. 


Nevertheless, COPPA doesn’t begin to address all 
the hazards facing children online. In particular, 
the regulations do nothing to eliminate the 
possibility that a child will give out personal 
information to strangers over an instant- 
messaging connection, via e-mail, or in a chat 
room. Moreover, COPPA is concerned only with 
children under 13. Although teenagers might be 
more sensitive to privacy issues than younger 
children are, they are by no means immune to 
safety threats. Preserving the privacy and safety 
of all your children, teen and pre-teen alike, 
requires ongoing parental oversight. 


All privacy decisions (and most parenting 
decisions, for that matter) involve tradeoffs. You 
could eliminate online risks completely by simply 
unplugging your computer from the Internet, but 
you'd be giving up far more in enrichment than 
you'd gain in protection. For a balanced 
perspective on the benefits and risks of children’s 
Internet use, we recommend the site 


http://www.safekids.com, operated by the Online 
Safety Project. Here’s a condensed summary of 
parental do’s and don’ts that appear there: 


e Don’t let your children give out 
their names, school names, phone 
number, or address in a chat room 
or on a public newsgroup or bulletin 
board. 


Familiarize yourself with all the Web 
sites that your children use 
regularly. 


Never let your children arrange 
face-to-face meetings with 
strangers. 


e Don’t respond to obnoxious e-mail 
messages. 


e Teach your children to be dismissive 
of all offers that are too good to be 
true. 


If possible, keep track of what your 
children download from Web sites. 


For a discussion of content filters and Internet 
Explorer’s Content Advisor feature, which helps 
you control your children’s access to particular 
sites, see Using Content Advisor to Block 
Objectionable Content. 


Privacy Options in Opera 


In this book, we focus on the two 
leading Web browsers, Internet 
Explorer and Netscape 
Navigator/Communicator (also 
available in an open-source version as 


Mozilla 1.0). But Windows experts 
know that they have additional 
options, most notably the Opera 
browser (free with banner ads, $39 
without; from Attp://www.opera.com). 
Opera 6 has some worthwhile privacy 
features not available in Internet 
Explorer or Netscape/Mozilla. If you’re 
interested in exploring all your 
options, you might want to download 
the free version of Opera and check to 
see whether its privacy features meet 
your needs better than your current 
browser. 


For starters, Opera gives you the 
option of withholding referrer 
information when you log on to a new 
Web site. (The referrer information 
tells the new Web site the address of 
the site you’re coming from.) Second, 
although Opera does not filter cookies 
on the basis of their P3P (Platform for 
Privacy Preferences) parameters, as 
Internet Explorer 6 does, it includes a 
simple option to downgrade all 
persistent cookies to session status. If 
you object to having any form of 
cookie stick to your hard disk, but you 
want the services that session cookies 
provide—such as the ability to store 
items in an online shopping cart— 
Opera’s Throw Away New Cookies On 
Exit check box is an easy way to 
implement that policy. 


Additionally, Opera includes some per- 
site cookie-filtering options not 
available elsewhere. For example, you 


can specify top-level domains, such as 
.gOv or .org, in the per-site list so that 
cookies from all servers with URLs 
ending in the specified suffix are 
accepted or blocked. 


Managing Cookies 


In one of Charles Schulz’s classic “Peanuts” cartoon strips, Charlie Brown and 
Snoopy are at the mailbox. A jury summons for Snoopy has arrived. Charlie 
Brown believes there has to be some mistake—dogs can’t be required to 
perform jury duty. They talk it over, and in the last frame, Snoopy’s thought 
bubble says he'll go ahead and do his civic duty—but only if the court hands 
out free cookies. 


Snoopy would have loved the Internet, where he could have downloaded a 
bellyful every day. But over time, even he, like a growing number of human 
Internet users, might have come to regard Internet cookies with suspicion. 


Cookies are snippets of text (not program code) that are saved on your 
computer and recalled when you return to the Web site that stored the cookie. 
Used properly, cookies lubricate your interactions with Web sites in 
innumerable ways. They enable e-commerce sites to store your shopping-cart 
information as you browse their offerings. They allow news, weather, and 
sports services to tailor their offerings to your locality without pestering you for 
your zip code every time you visit. They make it possible for you to customize 
home pages at portals such as MSN so that those sites display only the 
information you actually care about in a layout that’s pleasing to you. 


For a detailed description of cookie types and functions from 
Microsoft’s perspective, see Knowledge Base article Q260971, 
“Description of Cookies,” at 

http://support. microsoft. com/default.aspx ?scid=kb;en-us;Q260971. 


But because cookies also enable advertisers to collect information about your 
shopping preferences and interests—information that you might prefer not to 
divulge—they are by no means an unmixed blessing. Some computer users 
simply don’t care about cookies. At the opposite extreme, some users prefer to 
ban cookies completely, foregoing the convenience that cookies provide in 
order to close the blinds on intrusive clickstream trackers. 


If you're willing to tolerate those cookies that play by a set of rules you define, 
you don’t have to take such drastic measures. With its support for the Platform 
for Privacy Preferences (P3P) initiative, Internet Explorer 6 provides a way to 
keep the cookies that seem useful to you and reject those that do not. 


Upgrade to Internet Explorer 6 


If you’re using Internet Explorer 5, the superior cookie management 
offered by version 6 is a good reason to upgrade. Internet Explorer 
6 is included with every installation of Windows XP; you can get 
upgrades for earlier versions of Windows at 


http://www. microsoft.com/downloads. 


What Your Browser Gives Away 


Cookies allow the owner of a Web site to store and recall 
information about how you use that site. But even without cookies, 
every time you log on to a Web site, your browser furnishes the 
following details to the Web server: 


e The make and model of your browser 
e Your IP address 


e The site you were last visiting, if you reached the 
current page by clicking a link on that site (although 


some privacy utilities, such as PC Magazine's 
CookieCop 2, can prevent this information from being 
sent) 


e Your Internet service provider 
e Your operating system 
e Your CPU type 


e Your screen resolution and color depth (browsers 
other than Internet Explorer don’t include this item) 


The server needs at least some of this information (your IP address, 
for example) in order to furnish your browser with a properly 
formatted Web page. If you’re not comfortable giving away this 
information, consider using an anonymous browser. (See Browsing 
Anonymously, for links to these esoteric privacy tools.) 


The Anatomy of a Cookie 


A cookie is a short string of text characters. The mechanism for transmitting 
the contents of a cookie between a server and a browser is defined as part of 
the Hypertext Transfer Protocol (HTTP) specification. If your browser is Internet 
Explorer, each cookie is stored as a separate .txt file in the folder 
%UserProfile%\Cookies. As Figure 13-3 shows, your cookies’ file names have 
the following format: 


account_name@domain_name[subscript] 


The naming convention and the profile-specific storage location ensure that 
multiple user accounts at a computer can access common Web sites and 
maintain separate customizations for those sites. (In Netscape/Mozilla, as in 
very early versions of Internet Explorer, all cookies are stored in a single file, 
called Cookies.txt. Internet Explorer has a way to move cookies between its 
format and that used by Netscape/Mozilla; for details, see Backing Up,, 
Restoring, and Deleting Cookies.) 


Figure 13-3. Internet Explorer stores cookies in %UserProfile%\Cookies 
and prefixes files with your account name. 


How a Cookie Is Created 


A Web site can create a cookie with an HTTP set-cookie header, which has the 
following format (the text shown here in angle brackets—<name> and 
<value>—for instance represents variables that are unique for each cookie): 


Set-Cookie: <name>=<value>[; <name>=<value>] . . . [; expires: 
[; domain=<domain name>] [; path=<path spec>][; secure] 


The significance of these elements is as follows: 


<name>=<value>. Name/value pairs are the main reason cookies exist. 
Each cookie can have an unlimited number of these (but must have at least 
one), and both the names and values can be whatever the site chooses to use. 
A site commonly uses this setting to assign a unique ID string to each visitor. 


expires=<date>. Cookies have a finite lifetime. This optional parameter 
specifies the cookie’s expiration date and time (in Greenwich Mean Time). If 
this parameter is omitted, the cookie is a session cookie, which expires when 
you close your Internet connection. (Session cookies are stored in memory 
only.) 

domain=<domain_name> and path=<path_spec>. These parameters 
specify the domain and (optionally) the path on the Web server for which the 
cookie is valid. Cookie data is never sent to a site other than the one that 
created the cookie. 


secure. If included, the secure keyword ensures that the cookie’s data will be 
transmitted only over an SSL (https) connection. 


Beware the secure cookie bug 


The secure keyword theoretically protects sensitive information 
(such as credit card numbers and passwords) from being sent “in 
the clear” over an unencrypted HTTP connection. In practice, a bug 
in versions 4 and 5 of Microsoft’s popular Web server software 
Internet Information Services (IIS) causes this keyword to be 
ignored. If a secure Web site sets a cookie that includes sensitive 
information and then switches to a standard HTTP connection while 
using the same cookie, your data could be at risk. As a user, you 


have no way of knowing when a site is potentially exposing you to 
this bug. Fortunately, this feature is rarely used and does not 
represent a substantial risk. If you run a Web site that uses either of 
these versions of IIS, make certain you apply the patch that fixes 
this bug. You can read more details in Knowledge Base article 
Q274149, “Cookies Are Not Marked as Secure in IIS.” 


A Cookie Taxonomy 


Cookies can be classified by their origin and lifetime. A cookie 
served by a site that you explicitly visit (for example, by clicking a 
link, choosing a shortcut from your Favorites list, or typing a URL in 
the Address bar) is called a first-party cookie. Web pages aren’t 
always put together using content from a single server, however. 
Banner ads, for instance, are usually placed at the top of Web pages 
by companies like DoubleClick and 24/7 Real Media, which 
specialize in the complex process of selling advertising space to a 
variety of clients and placing those ads on a wide-ranging network 
of Web sites; these ads typically come from a central server 
managed by the advertising company and not from the Web server 
supplying the content for the main page. A cookie that the 
advertising company’s server places on your computer is called a 
third-party cookie. (Netscape/Mozilla uses the term foreign to 
describe cookies placed this way.) In either case, the cookie can be 
read only by the site that put it on your computer in the first place. 


Cookies that expire when you close your Internet connection are 
called session cookies. Your browser stores these cookies in memory 
only. Cookies that are stored on your hard disk and have some 
expiration date in the future are known as persistent cookies. 
Session cookies are generally used for purposes such as recording 
the contents of shopping carts, and they constitute little or no 
privacy risk. 


First-party cookies can enable a site to build a database of your 
preferences and interests and might or might not pose a privacy 
problem, depending on how the site uses this information and 
whether it shares it with other organizations. First-party cookies, 
particularly session cookies, are often essential to the functioning of 
a Web site, however; if you block a site’s own cookies, you might 
find some of the site’s features (or even the entire site) impaired or 
unavailable. 


Third-party cookies are commonly used by advertising networks to 
develop profiles of Internet users’ habits and predilections. An ad 
from a single network can be placed on many different “host” Web 
sites. Using the cookie associated with the ad network’s server, the 
advertising company over time can build a comprehensive picture 
about what sites you visit, what ads you click, and so on. Of course, 
the cookie can’t identify you in any meaningful way. However, if the 
advertiser can convince you at some point to supply your name, 
address, and other identifying details (by offering you an 
opportunity to enroll in a contest, for instance), the company can 
store this information in the cookie and associate your Web- 
browsing behavior with you. Because the data accumulated in this 
fashion lets the ad firm serve up ads that are (at least in theory) 
targeted to your specific interests, you might regard this profiling as 
a service of sorts. Then again, you might see this monitoring as a 
form of cyber-stalking. 


Your browser has features that let you block particular kinds of 
cookies or that prompt you before accepting them. Understanding 
the difference between types of cookies is crucial to taking control 
of your privacy. 


Reading Cookies 


Because cookie files are plain text, you can open them in Notepad or another 
text editor. A typical cookie looks something like this: 


*-Nonprinting characters make the data hard to read in Notepad. A number 
of independent software developers offer cookie-management utilities that 
make the data easier to read, if not necessarily easier to understand. (For a 
survey of such programs, see Using_a Cookie-Management Program.) If you 
don’t have a cookie-management program, you can make the data more 
presentable by copying it into a spreadsheet program. When you paste cookie 
text into Microsoft Excel, for example, Excel parses fields into separate 
worksheet cells, making it easier to see what’s there. The MSN cookie shown in 
the preceding illustration looks like this when pasted into Excel: 


lang 

en-us 
msn.com/ 
1056 

3571 TO04A032 
30124358 
ADS 273 11 1S 
29487244 

Zs 

MC1 
V=2&GUID=dlafccef£79145fea3f6de9881c2a58c 
msn.com/ 
1056 
3049388032 
29592233 
4127687776 
29487244 

* 

mh 

MSFT 
msn.com/ 
1056 
357100032 
30124358 
AIS 2627776 
29487244 


* 


As you can see, the cookie consists of three eight-line data blocks separated by 
asterisks. Each block includes a name/value pair, the cookie’s domain, and five 
additional numbers. In some cases, the field names and values are easy to 
figure out; in other cases, the cookie’s contents are a mystery. In this example, 
it’s easy to tell that this cookie sets the user’s language preference to U.S. 
English. Without knowing the inner workings of msn.com, however, it’s hard to 
discern how the other two name/value pairs are used. 


View cookies in the Temporary Internet Files folder 


In Internet Explorer, you can also check out your cookie store by 
choosing Tools, Internet Options. On the General tab of the Internet 
Options dialog box, click Settings. In the Settings dialog box, click 
View Files. (If you prefer, you can open this location from the Run 
dialog box or an Address bar by entering Y%ouserprofile% \local 
settings\temporary internet files.) Switch the folder to Details 
view if necessary, and then click the Type heading to sort by file 
type. Your cookies will be listed as text documents. It takes longer 
to see your cookies this way, but the Temporary Internet Files folder 
includes a heading that shows each cookie’s expiration date. 


Setting Cookie Preferences in Internet Explorer 5 


Internet Explorer 5 can distinguish session cookies (cookies that are stored 
only in memory and disappear when you close your Internet connection) from 
persistent cookies (cookies that are stored on your hard disk and remain valid 
until their expiration dates). You can choose to accept or block all cookies of 
either type. Alternatively, for either type, you can have Internet Explorer ask 
you whether to accept a cookie on a case-by-case basis. 


Internet Explorer 5’s cookie settings can be applied separately for each security 
zone. By default, both session and persistent cookies are enabled in the 
Internet, Local Intranet, and Trusted Sites zones. In the Restricted Sites zone, 
both kinds of cookies are blocked. To change cookie settings, follow these 
steps: 


. Choose Tools, Internet Options and then click the Security tab. 
. Select the security zone whose settings you want to adjust. 


. Click Custom Level. 
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. In the Security Settings dialog box, shown in Figure 13-4, scroll 
down to the Cookies section and make your selections. 


Figure 13-4. Internet Explorer 5 lets you set cookie 
preferences on a per-zone basis, but your choices are 
restricted to Disable, Enable, and Prompt, and you can't 
discriminate between first-party and third-party cookies. 


For information about security zones in Internet Explorer, see Using 
Security Zones. 


If you choose to be prompted about whether to accept or reject a cookie, you 
will see a dialog box comparable to the following each time Internet Explorer 
needs a decision from you. (If you don’t see the fields at the bottom of this 
dialog box, click the More Info button.) 


Although Internet Explorer 5 does not distinguish between first-party and 
third-party cookies, the Domain field in this Security Alert dialog box can help 
you to do so. If the domain name matches the one you browsed to, you can 
assume that you’re being asked to approve a first-party cookie. If the domain 
name differs from the one in the Address bar, the cookie is from a third party. 


When Internet Explorer 5 prompts you about a session cookie, the words “End 
of Session” appear in the Expires box. Otherwise, you can assume that the 
cookie is persistent. 


To reject a cookie, click No. To accept it, click Yes. To accept this and all future 
cookies from the same domain, select In The Future, Do Not Show This 
Warning, and then click Yes. Note that you cannot use this check box to reject 
this and all future cookies from the same domain. (The No button becomes 
unavailable if you select the check box.) But if you encounter a site in the 
Internet zone from which you never want to receive cookies, you can add that 
site to the Restricted Sites zone, where all cookies (by default) are rejected. 
For information about adding sites to your Restricted Sites zone, see Adding 
Sites to Zones. 


Setting Cookie Preferences in Netscape 6.2/Mozilla 1.0 


Netscape 6.2/Mozilla 1.0 is set by default to accept all cookies, no questions 
asked. Unlike Internet Explorer 5, however, Netscape/Mozilla can distinguish 
first-party cookies from the third-party variety and makes it easy to block the 
latter. To do so, choose Edit, Preferences. Then, in the Privacy & Security 
section of the Category menu, choose Cookies to open the dialog box shown in 
Figure 13-5. 


Figure 13-5. In Netscape 6.2/Mozilla 1.0, you can block third-party 
cookies (by enabling cookies for the originating Web site only) or request a 
warning before any cookie is stored. 


If you ask to be warned before a cookie is stored, you'll find that the prompts 
used by Netscape/Mozilla are precise and informative: 


“This message, for example, tells you that you have previously permitted 
other cookies from the site in question. Assuming that you feel those other 
cookies have done you no harm, you might want to select Remember This 
Decision before clicking Yes to accept the new cookie. Selecting the check box 
puts the serving site on an “always accept” list, so that all subsequent cookies 
from the same site pass through without a prompt. 


You can use a similar technique in Netscape/Mozilla to put sites on an “always 
reject” list. That is, if you select Remember This Decision and click No, the site 
in question is barred from delivering cookies thereafter. 


A Cookie Strategy for Internet Explorer 5 or Netscape/ Mozilla 


The Enable/Disable/Prompt options available in Internet Explorer 5 and 
Netscape 6.2/Mozilla 1.0 don’t give you a lot of flexibility when it comes to 
handling cookies. Blocking everything makes the Internet hard to use (and 
keeps you off some sites altogether). Accepting everything (the default choice 
in both programs) amounts to surrender. And asking to be prompted every 
time a Web site lobs a cookie in your direction turns each browsing session into 
a virtually nonstop barrage of interruptions. 


The prompting option might not be so bad, however, if you use a limited 
number of sites most of the time. As you work with these “regulars,” you can 
quickly segregate sites into accept-cookie and reject-cookie categories. Once 
you've put a site into either group, you no longer need to deal with its 
prompts. 


Suppose, for example, that you log on to a weather information site every 
evening to get the next day’s forecast. If the site serves cookies, put it on the 
good-guys list. (In Internet Explorer’s Security Alert dialog box, select the 
check box and click Yes. In the Netscape/Mozilla Confirm dialog box, select the 
check box and click Yes.) If unwanted cookies come your way, put their servers 
on the bad-guys list. (In Netscape/Mozilla, follow the same procedure, but click 
No instead of Yes. In Internet Explorer 5, you need to move the bad guys to 
your Restricted Sites zone.) 


Before you start compiling lists of accepted and rejected sites, back up your 
current cookie store and then delete all your current cookies. (See Backing _Up,. 
Restoring, and Deleting Cookies.) This will give you a clean start. If you find 
you can’t manage without certain existing cookies, restore the lot and delete 
the ones you don’t need. (A cookie-management utility can simplify this task. 
See Using a Cookie-Management Program, for some recommendations.) 


In a short time, as you use your regular sites, you should see the prompt rate 
diminish. When you need to work with sites you don’t regularly visit, you can 
avoid the flood of prompts as follows: 


. Back up your cookie store. 

. Switch your browser to accept all cookies. 
. Browse. 

. Delete all cookies. 


. Restore the backed-up cookies. 
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. Set your browser to prompt again. 


Setting Cookie Preferences in Internet Explorer 6 


Internet Explorer 6 is the first Microsoft browser to support the P3P initiative, 
an evolving standard developed by the World Wide Web Consortium (W3C). 
You can read a public overview of P3P at Attp://www.w3.org/P3P; technical 
details about version 1.0 (the version supported by Internet Explorer 6) are 


available at http://www.w3.org/TR/P3P. 


Among other things, P3P establishes a standard XML (Extensible Markup 
Language) syntax that Web sites can use to state their privacy policies and a 
mechanism for transmitting those policies via HTTP. The XML vocabulary lets 
sites create two kinds of policy statements—a full description that a site can 
display or link to, and a tokenized compact description that can be embedded 
in an HTTP response header and read by your browser. 


The compact privacy policy statement reports the following: 
e The name of the organization that will collect user information 
e The type of information that will be collected 
e The purpose(s) for which the information will be used 


e How the information will be retained 


Whether the information will be shared with third parties 

e Whether users can access and change information 

e Whether users can change the way information will be used 
e How disputes can be resolved 


e The location of the organization’s complete privacy statement 


Internet Explorer 6 (or another browser that supports P3P) can quickly read 
the tokenized policy statement, compare it with your stated privacy 
preferences, and then accept or reject the cookie as appropriate. 


Using the Privacy Slider to Manage Cookies 


Internet Explorer 6 replaces the Cookies options on Internet Explorer 5’s 
Security Settings dialog box (see Figure 13-4) with the Privacy tab shown in 
Figure 13-6. (To display this dialog box, choose Tools, Internet Options and 
click the Privacy tab.) Adjusting the slider on the Privacy tab is one of several 
ways to manage cookies in Internet Explorer 6. (For others, see Overriding 
P3P-Based Cookie Handling, and Importing_Custom Privacy Settings. ) 


Figure 13-6. The slider on Internet Explorer’s Privacy tab lets you 
choose from six built-in privacy settings. 


If you don’t see a slider on your Privacy tab, you are currently using 
“advanced” or imported privacy settings. You can undo those 
settings and make the slider appear by clicking Default. 


The privacy slider affects only the Internet zone 


If you are accustomed to using different settings for different 
security zones in Internet Explorer 5, you need to be aware of a 
major change in version 6. The privacy slider—Internet Explorer 6’s 
default tool for managing cookies—affects only those sites in your 
Internet zone. (By default, all cookies are accepted in the Trusted 
Sites and Local Intranet zones.) To apply P3P-based preferences to 


either of those zones, you must import a custom privacy settings 
file. (See Importing Custom Privacy Settings.) Cookies from sites in 
the Restricted Sites zone are always rejected, and you can’t 
override that default. 


The privacy slider’s default setting is Medium. Five other settings are available: 
Block All Cookies, High, Medium High, Low, and Accept All Cookies. Moving the 
slider from one setting to another is simple, but understanding the effects of 
each setting requires some careful attention to detail! In particular, be aware 
that, in all settings except Block All Cookies, cookies that already exist on your 
hard disk can be read by the Web site that placed the cookie there, even if you 
block new cookies from that site. To avoid uncertainty, it’s best to back up and 
then delete all existing cookies before you set out for the Web with a new 
privacy setting in place. Also, note that the term implicit consent, used in the 
descriptive text next to the privacy slider, means that you have not taken an 
affirmative step to withhold consent; in other words, these settings assume 
that you have given your permission for a site to use personally identifiable 
information about you unless you have explicitly “opted out” of allowing the 
site to do so. Contrast this with the term explicit consent, which assumes that 
you do not grant this permission unless you “opt in”—that is, you must 
affirmatively grant permission before a site can use personally identifiable 
information about you in a cookie. 


The effects of the six privacy slider settings are listed in Table 13-1 and (in an 
alternative view) Table 13-2. 


Table 13-1. Privacy Slider Settings and Their Effects 


Setting Effect 


Block All All new cookies are blocked. Existing cookies cannot be read. 
Cookies Per-site settings are ignored. 


High All cookies from sites without a compact privacy policy are 
blocked. Cookies that use personally identifiable information 
(for example, your telephone number or e-mail address) are 
blocked unless you have opted to permit them. Existing cookies 
are read, and per-site settings can override the High setting. 


Medium Cookies from third-party sites without a compact privacy policy 

High are blocked. Third-party cookies that use personally identifiable 
information are blocked, unless you have opted to permit them. 
First-party cookies that use personally identifiable information 
are blocked only if you have opted out. Existing cookies are 
read, and per-site settings can override the Medium High 
setting. 


Medium Cookies from third-party sites without a compact privacy policy 

(default) are blocked. Third-party cookies that use personally identifiable 
information are blocked only if you have opted out. Persistent 
first-party cookies for which you have opted out are accepted 
but are downgraded to session cookies. First-party cookies from 
sites without a compact privacy policy are accepted, but 
Internet Explorer prevents them from being read subsequently 
in a third-party context. Existing cookies are read, and per-site 
settings can override the Medium setting. 


Setting Effect 


Low 


Persistent cookies from third-party sites without a compact 


privacy policy are accepted, but Internet Explorer downgrades 
them to session cookies. Persistent first-party cookies for which 
you have opted out are accepted, but Internet Explorer 
prevents them from being read subsequently in a third-party 
context. Existing cookies are read, and per-site settings can 
override the Low setting. 


Accept 
All 
Cookies 


Table 13-2. Privacy Slider Settings by Cookie Type 


Cookie 
Attributes 


Existing 
cookies 


Third-party 
cookies, no 
compact 
privacy 
policy 


First-party 
cookies, no 
compact 
privacy 
policy 


Third-party 
cookies, 
personally 
identifiable 
information, 
no opt out 


First-party 
cookies, 
personally 
identifiable 
information, 
no opt out 


How Cookie Requests Are Handled 


Block 
All 
Cookies 


Cannot 
read 


Blocked 


Blocked 


Blocked 


Blocked 


High 


Can read 


Blocked 


Blocked 


Blocked 


Blocked 


Medium Medium 
High 


Can read Can read 


Blocked Blocked 
Blocked Blocked 
Blocked Accepted 


Accepted Accepted 


All new cookies are accepted. Existing cookies are read. Per-site 
settings are ignored. 


Low Accept 
All 
Cookies 


Can read Can read 


Down- 
graded+ 


Accepted 


Accepted 


Leashed2 


Leashed2 Accepted 


Leashed2 Accepted 


IR How Cookie Requests Are Handled 
Third-party Blocked Accepted Accepted Accepted Accepted Accepted 
cookies, 

personally 

identifiable 

information, 

opt in 


First-party Blocked Accepted Accepted Accepted Accepted Accepted 
cookies, 


personally 

identifiable 

information, 

opt in 

Cookies Blocked Depends Depends Depends Depends Accepted 
from sites on per- on per- on per- on per- 

on per-site site site site site 

list setting setting setting setting 


Unless you import a custom privacy settings file that includes the 
XML element alwaysReplayLegacy, cookies that you had on your 
system before upgrading Internet Explorer 5 to version 6 are 
leashed in all privacy slider settings except Block All Cookies. That 
is, they are replayed in a first-party context only, or they are 
blocked altogether. 


Limitations of P3P 


P3P is by no means a solution for all privacy concerns. You should 
be aware of the following limitations as you work with any of the 
privacy settings in Internet Explorer 6: 


Not all sites are P3P-compliant (although a growing number are). 


P3P is intended to be a mechanism for industry self-regulation. It is 
not policed by the government. If you have doubts about whether a 
site’s behavior is consistent with its stated policies, check to see 
whether the site is certified by a privacy agency, such as TRUSTe 
(http://www. truste.org). Even a TRUSTe certification is not a hard- 
and-fast guarantee, but it might give you additional confidence. 


Sites can change their privacy policies without notifying you. 


Also be aware that P3P is still in the early stages of its development. 
Future revisions of the specification, as well as future versions of 
Internet Explorer and other browsers, might provide additional 
privacy options for you. 


Fine-Tuning Your Privacy Setting with the Per-Site List 


You can combine one of the privacy slider settings with the per-site list to fine- 
tune that setting. The per-site list lets you name specific domains from which 
you want to accept or reject all cookies. Figure 13-7 shows an example of the 
per-site list. 


Pa 


Figure 13-7. Combine per-site settings with privacy slider settings to fine- 
tune your cookie policy. 


To add a domain to the per-site list, choose Tools, Internet Options; click the 
Privacy tab, and then click Edit. Type or paste the domain name in the Address 
Of Web Site box, and then click either Block or Allow. Note that you need only 
the domain name (including the top-level domain, such as .com or .org), not 
the site’s entire URL. If you include an entire URL, Internet Explorer trims it to 
include only what it needs. 


For example, suppose you’ve browsed to 

http://www. truste.org/consumers/users_how.html, a section of the TRUSTe 
Web site, and you decide to add TRUSTe to your Always Allow list. You can 
select the Address bar, press Ctrl+C to copy the full URL to the Clipboard, go to 
the Per Site Privacy Actions dialog box (shown in Figure 13-7), press Ctrl+V to 
paste, and then click Allow. The TRUSTe site will take its place in your per-site 
list, trimmed from the full URL to truste.org. 


You can also populate the per-site list from the Privacy Policy dialog 
box; see the next section, “Reading the Privacy Report.” Custom 
privacy settings files can create per-site lists as well; see Importing 
Custom Privacy Settings. 


Reading the Privacy Report 


Whenever your privacy settings cause Internet Explorer to block one or more 
cookies, the following icon appears in your browser’s status bar: 


.To learn more about what’s been blocked, double-click the icon, or choose 
View, Privacy Report. A dialog box comparable to the one shown in Figure 13-8 
appears. 


“Figure 13-8. Double-clicking the blocked-cookie icon in Internet 
Explorer’s status bar displays this Privacy Report dialog box. 


You can set the Privacy Report dialog box to show only those sites from which 
cookies have been blocked or all sites that have contributed to the current 
page. When you open the dialog box by double-clicking the blocked-cookie 
icon, it initially displays the blocked sites only. To see everything, choose All 
Web Sites in the Show list. 


The Restricted Web Sites item in the Show list of the Privacy Report 
dialog box (see Figure 13-8) has nothing to do with your Restricted 
Sites security zone. It simply refers to those sites contributing to 
the current page that have had one or more cookies blocked by 


To find out more about a site that has had a cookie blocked, select it in the 
Privacy Report dialog box and click Summary. The selected site’s full P3P policy 
statement then appears in the Privacy Policy dialog box, shown in Figure 13-9. 
After reading the privacy policy, you might decide to add the site in question to 
your per-site list so that cookies from this site are henceforth always allowed or 
always blocked. You can use the option buttons at the bottom of the dialog box 
for this purpose. 


Figure 13-9. Selecting a site in the Privacy Report dialog box and 
clicking Summary displays the full P3P policy. 
Overriding P3P-Based Cookie Handling 


If you decide that none of the P3P-based privacy settings quite works for you, 
click the Advanced button on the Privacy tab of the Internet Options dialog 
box. In the Advanced Privacy Settings dialog box, select Override Automatic 


Cookie Handling, and then fill out the remainder of the dialog box to suit your 
preferences. Figure 13-10 shows the Advanced Privacy Settings dialog box set 
to accept all session cookies without prompting, but to prompt for all persistent 
cookies. 


Figure 13-10. In the Advanced Privacy Settings dialog box, you can 
override automatic (P3P-based) cookie handling and set your own policies 
instead. 


Per-site settings and existing cookies trump advanced settings 


If you decide to block either first-party or third-party cookies (or 
both) through the Advanced Privacy Settings dialog box, be sure to 
remove any per-site settings that allow cookies. Otherwise, the sites 
to which you gave carte blanche earlier will continue to drop cookies 
on your plate. To do this, click Edit on the Privacy tab of the Internet 
Options dialog box. Select specific sites and click Remove, or simply 
click Remove All. 


Also be sure to back up and delete existing cookies for sites that 
you want to block (or to be prompted for). Otherwise, those sites 
will continue to read your current cookie data. For details, see 
Backing_Up, Restoring, and Deleting Cookies. 


If cookies are blocked because of settings in the Advanced Privacy Settings 
dialog box, the same do-not-enter icon appears in your status bar, and you can 
use it to display sites’ policy statements. If your advanced settings result in a 
cookie prompt, you'll see something comparable to the Privacy Alert dialog box 
shown in Figure 13-11. (The Privacy Alert dialog box always appears initially in 
its collapsed form, but it’s not very useful that way. You'll want to click More 
Info to open the full dialog box.) 


Figure 13-11. The expanded form of the Privacy Alert dialog box can 
help you decide whether to accept or reject a proffered cookie—or add its 
site to your per-site list. 


The various fields in the Cookie Information section of this dialog box tell you 
which basic type of cookie (third-party or first-party, session or persistent) is 
being offered, who it’s coming from, what name and value are being sent, 
when the cookie expires, and whether the cookie can be replayed only over a 
secure connection. In the Compact Policy field, you can even see the compact 
policy tokens (and, in some cases, the URL of the full policy statement). If you 
don’t want to master the P3P specification 

(http://www. w3.org/TR/P3P/#compact_ policy vocabulary) but do want to 
know what those tokens mean, go ahead and accept the cookie (without 
selecting Apply My Decision To All Cookies From This Web Site), and then 
choose View, Privacy Report. Select an item from the list of Web sites with 
content on the page (typically the top-level domain is your best choice) and 
then click Summary to read the spelled-out version. 


Importing Custom Privacy Settings 


The privacy options you can set with the privacy slider don’t begin to cover all 
the available bases. They’re applicable only to Web sites in the Internet 
security zone, and they deal with only some of the many possible combinations 
of tokens that can appear in a P3P compact privacy policy statement. In order 
to keep the user interface from becoming overwhelmingly complex, Microsoft 
implemented end-user settings for a half-dozen token permutations and gave 
advanced users an XML schema to deal with the rest. If you have some basic 
programming skills and an hour or two to master the schema (plus the P3P 
specification), you can create your own custom privacy settings files. These, 


unlike the built-in settings, can be applied to any security zone except 
Restricted Sites. You can find an overview of how to create a custom privacy 
settings file at 

http://msdn. microsoft.com/workshop/security/privacy/overview/privacyimport 
xml.asp, and a detailed description of the XML elements that can be used at 


http://msdn. microsoft.com/workshop/security/privacy/customimportxml/custo 


mimportxml.asp. 


Take advantage of prefab custom privacy settings files 


You can find prefabricated custom privacy settings files on the 
Internet. For example, Eric L. Howes has bundled more than 100 
such files into a package called XML-Menu, which you can download 
free from http://www. staff. uiuc.edu/~ehowes/resource5.htm#files. 
Even these settings will not cover every possibility (in particular, 
they include no per-site settings), but you can use them as a 
starting point. 


To import a custom privacy settings file, click Import on the Privacy tab of the 
Internet Options dialog box and specify the file name. Internet Explorer checks 
the XML syntax before accepting the file and confirms a successful import. 


Note the following: 


e Privacy settings that are not overridden by the custom settings 
file remain in effect. Thus, for example, you can use the privacy 
slider and per-site list to establish settings for the Internet zone 
and then use the custom settings file to configure only the 
Trusted Sites zones. 


e If your custom settings file does configure a specific zone, and 
after importing it you adjust the privacy slider, your privacy slider 
setting overrides your custom Internet zone configuration. 


e If your custom settings file uses the MSIESiteRules element to 
configure per-site settings in the Internet zone, the custom 
settings file takes precedence over existing per-site settings. 


If you import a new custom settings file, its configurations 
replace those of the previous one. That is, you cannot use 
custom settings files cumulatively. 


Removing Custom Privacy Settings 


To remove custom privacy settings and restore default cookie handling for the 
Internet, Local Intranet, and Trusted Sites security zones, follow these steps: 


1. On the Privacy tab of the Internet Options dialog box, click 
Default. 


The Default button might be unavailable if the privacy slider was 
set to Medium (the default) before you imported the custom 
settings file. (This happens if the custom settings file includes 
only an alwaysReplaceLegacy element or if it does not include a 
p3pCookiePolicy element that specifies zone = “internet”.) If the 
button is unavailable, continue to step 2. 


2. If your custom settings file configured per-site settings (with the 
MSIESiteRules element), click Edit on the Privacy tab to open the 
Per Site Privacy Actions dialog box and then remove any sites 
that were so configured. 


3. If your custom settings file specified prompting for any Local 
Intranet sites, close the Internet Options dialog box and run 
Registry Editor. Remove the keys for any such sites that appear 
under HKCU\Software\ 
Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History. 


These registry keys appear only if your custom settings file was 
set to prompt for them and you (or another user) subsequently 
used the Privacy Alert dialog box to change the per-site setting to 
Allow Cookie or Block Cookie. (For more about this issue, see 
Knowledge Base article Q302831, “Unable to Remove Per Site 
Privacy Actions for Local Intranet Sites.”) 


4. If your custom settings file includes the alwaysReplaceLegacy 
element, use Registry Editor to remove the LeashLegacyCookies 
DWORD value (if it exists) from 
HKCU\Software\Microsoft\Windows\ CurrentVersion\Internet 
Settings. 


5. If your custom settings file includes a p3pCookiePolicy element 
that sets zone = “intranet”, use Registry Editor to remove the 
values {AEBA21FA-782A-4A90-978D-B72164C80120} and 
{A8A88C49-5EB2-4990-A1A2-0876022C854F} under the key 
HKCU\Software\Microsoft\ Windows\CurrentVersion\Internet 
Settings\Zones\1. 


6. If your custom settings file includes a p3pCookiePolicy element 
that sets zone = “trustedSites”, delete the same values listed in 
step 5, under the key 
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\2. 


For more information about these steps, see Knowledge Base article Q301689, 
“How to Restore Default Settings After Importing Custom Privacy Preferences.” 


A simple cookie strategy 


If the complexities of devising per-zone cookie policies and 
importing custom XML files seem like more trouble than the results 
justify, we recommend this simple but effective strategy that uses 
the built-in cookie-management tools in Internet Explorer 6. 


Start by opening the Internet Options dialog box and clicking the 
Advanced button on the Privacy tab. Then follow these steps: 


1. Select the Override Automatic Cookie Handling option. 


2. Under First-Party Cookies, choose Prompt. This option 
allows you to decide whether to accept or reject 
cookies each time you visit a new site. 


3. Under Third-Party Cookies, choose Block. This 
prevents the most egregious instances of companies 
monitoring your movements on the Web. 


4. Select the Always Allow Session Cookies check box. 
Session cookies are benign, in privacy terms. 


Backing Up, Restoring, and Deleting Cookies 


Backing up your cookies is a good idea if you’re about to experiment with 
Internet Explorer’s privacy settings and you're concerned about losing 
functionality at particular Web sites if you block their cookies. Back up the 
existing store, delete all your cookies, and begin experimenting. If you find you 
can’t live without the cookies you deleted, restore them. 


All versions of Internet Explorer in Windows XP and Windows 2000 include an 
Import And Export command that you can use to back up and restore cookie 
files. (You can also use this command to back up and restore the contents of 
the Favorites folder.) The file created when you use Import And Export was 
intended as a means of transferring cookies and favorites between Internet 
Explorer and Netscape/Mozilla, but it also works just fine as a backup and 
restore tool. 


To back up your cookies, choose File, Import And Export. When the wizard 
appears, click Next on the welcome screen, specify Export Cookies, and then 
click Next again. 


Choose Export To A File and specify a file name and location. (If 
Netscape/Mozilla is installed, the option to export to an application will also be 
available.) To restore your cookies, follow the same procedure, but select 
Import Cookies instead of Export Cookies. It’s that simple. 


To delete all your cookies in one swoop, choose Tools, Internet Options. Then, 
on the General tab of the Internet Options dialog box, click Delete Cookies. 


The quickest way to delete cookies selectively (if you’re not using a cookie- 
management program) is to choose Start, Run and then type 
%userprofile%\cookies in the Run dialog box. In the ensuing Windows 
Explorer window, simply delete the cookies you want to get rid of. 


Alternatively, you can delete cookies selectively from the Temporary Internet 
Files folder. To display this folder, choose Tools, Internet Options. On the 
General tab, click Settings; and in the Settings dialog box, click View Files. 
When the Temporary Internet Files folder appears (it takes a moment or two, 
usually, because Temporary Internet Files is a virtual folder, and Internet 
Explorer has to “reconstitute” it from several hidden system folders), display 
the folder in Details view and sort it by Name. Your cookies will then appear 
together because their file names all begin with Cookie. 


Using a Cookie-Management Program 


A large number of free or inexpensive third-party cookie-management 
programs are available. Here are three that we like: 


e Karen’s Cookie Viewer (free) 


http://www. karenware.com/powertools/ptcookie.asp 
e PurgelE (shareware) http://www. aandrc.com/purgeie 


e CookieCop 2 (free) 
http://www.pcmag.com/article/0,2997,s=1478&a=20845,00.asp 


Karen’s Cookie Viewer is a cleanly constructed utility that lets you look inside 
your existing cookies, determine what information they’re sending and to 
whom, and delete those you don’t need. The Microsoft Visual Basic source code 
is also available free at Karen Kenworthy’s Web site. 


PurgelE, from Assistance and Resources for Computing, Inc., is designed for 
covering your tracks—removing your history files, temporary files, and 
anything else that would furnish clues to your recent activity on the Internet. It 
also includes tools for viewing and deleting cookies as well as the incredibly 
useful ability to clean up “strays”—items in the Cookies folder or the browser 
cache that are no longer indexed and cannot be removed using Internet 
Explorer’s tools. 


CookieCop 2, a PC Magazine utility, is also a privacy Swiss Army knife. In 
addition to filtering cookies, it can downgrade incoming cookies to session 
status, disable pop-up windows, and remove the referrer information that your 
browser normally sends (the address of the site you were most recently 
visiting). 


If you're looking for a third-party cookie-filtering tool, you might 
want to hunt for one that supports P3P and can block cookies on the 
basis of sites’ compact privacy policy statements (or the absence of 
same). As this book goes to press, such tools are not yet available. 


Plugging a Windows Media Player Security Hole 


By default, Windows Media Player can send requesting Web sites a 
globally unique identifier (GUID) that allows those sites to uniquely 
identify your computer. The stated purpose of this identifier is to 
enable streaming media sources to “make adjustments to provide 
increased playback quality and to alert you to unseen events that 
occur when receiving streams over the Internet.” 


This identifier (stored in the registry as the string value UniqueID, 
under the key HKCU\Software\Microsoft\Windows 
Media\WMSDkK\General) can be used by Web sites for profiling 
purposes. In other words, it constitutes a kind of persistent cookie, 
impervious to P3P and your browser’s privacy settings and available 
to any inquiring site with a snippet of JavaScript. 


The workaround is simple. In either version 7 or version 8 of 
Windows Media Player, choose Tools, Options. On the Player tab of 
the Options dialog box, clear Allow Internet Sites To Uniquely 
Identify Your Player. Note that this option is selected by default. 


With the option to send a unique identifier turned off, Windows 
Media Player transmits a generic GUID that changes each time you 
start a new Internet Explorer session. The practical effect is to 
render you anonymous to anyone trying to exploit this vulnerability. 


Watching for Web Bugs 


A “Web bug” is a small object on a Web page 
whose purpose is to collect information. The term 
typically refers to a 1-pixel-by-1-pixel GIF image 
from a third party. Like any other object you 
download as part of a Web-page request, Web 
bug servers receive the basic data from your 
browser—your IP address, the page you linked 
from, your ISP, and so on. (See What Your 
Browser Gives Away.) Like all other third-party 
objects, they can also transmit and replay 
cookies. 


Web bugs disturb many computer users because 
of their stealthy nature. A 1-by-1 image is an 
unnoticeable speck on your screen, but its eyes 
and ears are as large as those of the tallest 
skyscraper ad. Knowing that Web bugs exist, 
people have the squirmy feeling they’re being 
spied on (as indeed they undoubtedly are), that 
their “Web conversations” are bugged. 


But are Web bugs a serious privacy threat? No 
more than any visible HTML object. The best way 
to deal with them is to block third-party cookies. 


You can read more about Web bugs at the Privacy 
Foundation’s Web site, 

http://www. privacyfoundation.org. At this site, 
you can also download a free Web bug ferret 
called Bugnosis, an Internet Explorer add-in that 
looks for suspicious HTML objects and pops up a 
message to notify you when it finds them. 


Rooting Out Spyware 


The term spyware (along with its many less 
printable synonyms) refers to programs that 
reside on your hard disk, monitor your activities 
(usually your Web-surfing activities), and report 
their findings via your Internet connection to 
tracking organizations that use the information 
for advertising purposes or sell it to others. 


Spyware is most likely to arrive on your system 
in the company of some advertising-sponsored 
freeware or shareware product that you 
download. (Several popular download managers, 
for example, come with spyware attached.) Some 
spyware providers let you know what they're up 
to (in the fine print of their license agreements or 
privacy statements), and others do not. 


Because the dirty work is done from the comfort 
of your own system, rather than via cookies 
across the Web, spyware programs are a form of 
Trojan horse. The most effective way to deal with 
them is to scan your system periodically, using a 
regularly updated list of known culprits. A free 
utility called Ad-aware (from Lavasoft, 
http://www. lavasoft.nu) does exactly that. Ad- 
aware searches your computer’s memory, looks 
for suspicious registry keys and values, finds 
cookies of dubious value, and tracks down 
spyware executables on your local storage. After 
a scan, you can delete or retain items selectively. 
If you’re not sure whether an item is really 
expendable, Ad-aware will back it up for you 
before tossing it. Figure 13-12 shows Ad-aware in 
action. 


“-Figure 13-12. Ad-aware found 75 
potential spyware components on this 


system, including executables, cookies of 
questionable utility, and registry keys. 


Another defensive measure you can take is to use 
a firewall, such as Zone Labs’ ZoneAlarm Pro, 
that monitors traffic between your computer and 
the Internet. ZoneAlarm Pro warns you when an 
application tries to access the Internet and gives 
you the option of blocking such access—that time 
or always. For information about choosing and 
configuring a firewall, see Blocking Attacks with a 
Firewall. 


Coping with More Insidious Forms 
of Spookware 


If you think the spyware described in the preceding 
section sounds ominous, check out the following: 


e Spector, Spector Pro, or EBlaster (all from 
SpectorSoft, http://www.spectorsoft.com) 


e Investigator (from WinWhatWhere, 
http://www. winwhatwhere.com) 


These programs, and others like them, can be used to 
record every action you take at your computer—every 
keystroke, every e-mail message, every Web access, 
every instant message or chat. Most such products are 
marketed as employee-monitoring tools, designed to 
help companies reduce legal exposure and worker slack 
time. SpectorSoft and WinWhatWhere, in addition, 
explicitly tout their products’ potential use as 
“adulteryware”—a way for suspicious spouses to gather 
evidence that their partners are cheating in chat rooms 
or carrying on an e-mail affair. 


The scary news is that these programs are perfectly 
legal (in the United States, at any rate), very difficult to 
detect (among other evasive measures, for example, 
Investigator renames and relocates its component files 
periodically), and so inexpensive as to constitute an 
impulse buy for the inquisitive spouse, parent, or 
employer. They’re also remarkably good at what they 
do. EBlaster, for instance, can take hundreds of screen 
shots per hour on the target computer and e-mail them 
to you anywhere in the world. Investigator can do the 
same, and it can also provide you with e-mail alerts 
whenever the target user types preconfigured 
keywords. 


By far the best way to cope with spookware is to avoid 
spookworthy behavior. Don’t do anything on your 
employer’s computer that you wouldn’t want your 
employer or supervisor to know about, and don’t 


arrange secret assignations online. (Use the phone; it’s 
harder to bug.) 


If you want to go looking for spookware on your 
system, try the following: 


e Look for programs that run at startup, 
which can be hidden in a startlingly large 
number of places, as shown in Table 13-3. 
Windows XP users can examine most of 
these locations with System Configuration 
Utility (Msconfig.exe). 


e Use the Services console to see which 
services are running. Carefully examine 
any that are not included with Windows. 
(The Windows services are shown in Table 
17-2.) 


e Press Ctri+Alt+Esc to open Task Manager, 
and examine the Processes tab. Try to 
identify each of the running processes— 
especially those with the user name 
System or another account besides your 
own. 


e Examine the keyboard, its cable, and its 
connection to the computer. Look for 
alterations or extra devices. 


e Use a registry monitoring tool (such as 
Sysinternals’s free Regmon, 
http://www. sysinternals.com/ntw2k/sourc 
e/regmon.shtm!/) to watch for unexplained 
changes to your registry. Be aware, 
though, that ordinary, nonsinister registry 
updates occur almost continuously. 


e Look for unaccountable hidden files in 
your system folders. Some spookware 
products might put essential DLLs there. 


e Be aware of any sudden, unexplained 
degradation of your computer's 
performance. All that logging, screen- 


shooting, and e-mailing has to consume 
some clock cycles. 


Table 13-3. Common Locations for Programs That 
Start Automatically 


Location Description 


Startup The %UserProfile%\Start 

folder (User) Menu\Programs\Startup folder contains 
shortcuts that run when a specific user 
account logs on. 


Startup Shortcuts in the %AllUsersProfile%\Start 
folder Menu\ Programs\Startup folder run 
(Common) automatically whenever any user logs on. 


Run key Programs listed in the registry’s HKLM\ 

(Machine) Software\ 
Microsoft\Windows\CurrentVersion\Run 
key are available for all users. 


Run key Programs listed in the HKCU\ 

(User) Software\Microsoft\Windows\ 
CurrentVersion\Run registry key run when 
the current user logs on. 


Scheduled You can use Scheduled Tasks to specify 

Tasks folders per-user tasks that run at startup. In 
addition, an administrator can set up 
startup tasks for your user account; by 
default, such tasks are listed only in the 
administrator’s Scheduled Tasks folder, not 
your own. Other users can also schedule 
tasks that run when you log on; these 
tasks run as background processes only. 


Location 


Win.ini 


RunOnce and 
RunOnceEx 
keys 


Group Policy 


Logon scripts 


Description 


Programs written for 16-bit versions of 
Windows can add commands to the Load= 
and Run= lines of this startup file (a 
legacy of the Windows 3.1 era), located in 
%SystemRoot%. 


This group of registry keys identifies 
programs that run once and only once at 
startup. These keys can be assigned to a 
specific user account or to the machine. 
HKLM\Software\Microsoft\ 
Windows\CurrentVersion\RunOnce 
HKLM\Software\Microsoft\ 
Windows\CurrentVersion\RunOnceEx 
HKCU \Software\Microsoft\ 
Windows\CurrentVersion\RunOnce HKCU 
\Software\Microsoft\ 
Windows\CurrentVersion\RunOnceEx 


Group Policy has two policies (both called 
Run These Programs At User Logon) that 
contain a list of programs to be run 
whenever anyone logs on. In Group Policy, 
you'll find the policies in Computer 
Configuration\ Administrative 
Templates\System\Logon and User 
Configuration\Administrative 
Templates\System\Logon. 


Logon scripts, which run automatically at 
startup, can open other programs. Logon 
scripts are specified in Group Policy in 
Computer Configuration\Windows 
Settings\Scripts and User 
Configuration\Windows Settings\Scripts 
(Logon/Logoff). 


Location 


Description 


Miscellaneous The Load key in 


registry keys 


HKCU\Software\Microsoft\Windows 
NT\CurrentVersion\Windows and the 
BootExecute key in HKLM\ 
System\CurrentControlSet\Control\Session 
Manager are unusual but effective 
locations for automatically starting a 
program 


Browsing Anonymously 


If you’re concerned about the identifying 
information that your browser invariably sends to 
Web sites (see What Your Browser Gives Away), 
you might want to consider an anonymous 
browsing service. Anonymous browsers interpose 
a proxy between you and the Web sites you visit. 
You give the proxy the URL of the site you want 
to see; the proxy fetches the page and sends it 
on to you, leaving the Web site in the dark about 
your own identity. 


These companies are both good providers of 
anonymous browsing services: 


e IDZap.com (http://www. idzap.com) 


e Anonymizer.com 


(http://www. anonymizer.com) 


Both providers offer two levels of service, a basic 
level for free and a premium subscription service. 
If you plan to do a lot of anonymous Internet 
work, you'll probably want to sign up for the 
premium service. The principal limitations of the 
free services are these: 


e The Web sites you interact with 
don’t know who you are, but your 
ISP and—if you’re using a company 
proxy server—your network 
administrator can track the pages 
you download (and their URLs). 
With the premium services, your 
connection to the anonymous host 
is itself secure, via SSL, so 
intermediaries on your side of the 
host can’t see what you’re doing. 


e The free services support HTTP 
only. For secure connections 
(commercial transactions, for 
example), you'll need to connect in 
the traditional way, without the 
anonymous host. This might not be 
a serious problem, since you 
presumably trust the sites with 
which you transact secure business, 
but you might get tired of having to 
switch back and forth between two 
modes of connection. 


Both services also offer other inducements (the 
ability to block pop-up windows and banner ads, 
for example) to adopt their premium offerings. 


Covering Your Tracks 


In an effort to simplify recurrent tasks, Windows, 
Internet Explorer, and major applications all 
preserve evidence of your recent activities. They 
record these “tracks” in many different places—in 
%UserProfileY%o\Recent (which appears as My 
Recent Documents on the Windows XP Start 
menu), %UserProfile%\Local Settings\History, 
%UserProfile%\Local Settings\Temporary 
Internet Files, numerous separate registry keys, 
the Recycle Bin, the page file, and more. 


Wiping the page file 


If there’s a possibility of your 
computer falling into the wrong hands, 
you should be sure that you don’t 
leave any tracks in the page file. 
Because the page file acts as virtual 
memory, it contains snippets of 
everything you work on. By default, 
when you shut down your system, the 
page file remains intact. People who 
have access to your computer could 
conceivably pore through the 
unencrypted paging file to find out 
what you’ve been up to. 


You can foil such snooping by enabling 
a security policy. In Control Panel, 
open Administrative Tools, Local 
Security Policy. In the Local Security 
Settings console, open Security 
Settings\Local Policies\Security 
Options. Double-click the Shutdown: 
Clear Virtual Memory Pagefile policy 
(in Windows 2000, the policy name 
doesn’t include the word Shutdown), 


select Enabled, and click OK. After you 
do that, Windows fills the page file 
with zeros whenever you shut down. 
Because this could slow down your 
system, don’t make this change unless 
your security needs demand it. 


You can cover some of your tracks with simple 
menu commands. For more thorough or 
automated shredding, you can choose from a 
wide assortment of tools offered by independent 
software developers. 


Eliminating Your Internet Explorer 
History 


To erase the past in Internet Explorer, follow 
these steps: 


1. Choose Tools, Internet Options. 


2. On the General tab of the Internet 
Options dialog box, click Clear 
History. 


You can also use the spinner next 
to the Clear History button to 
control how many days of history 
Internet Explorer should record. 
Note, however, that if you set this 
value to 0, Internet Explorer’s 
History bar continues to show 
where you've been on the current 
day. If you click Clear History, 
however, even today’s travels are 
forgotten. Clearing your history also 
clears the Address bar’s most- 
recently-used list. 


3. Still on the General tab of the 
Internet Options dialog box, click 
Delete Files. 


Deleting “files” cleans out the cache 
of recently downloaded HTML 
objects (Temporary Internet Files) 
that Internet Explorer maintains in 
order to redisplay pages more 
quickly. When you do this, you'll 
see the following confirmation 
prompt: 


wd 


Internet Explorer preserves Web 
pages that you’ve marked for 
offline viewing in a cache separate 
from Temporary Internet Files. 
Select the check box to eliminate 
these files as well. 


Erasing Your Internet Explorer 
AutoComplete History 


To thoroughly cover your tracks in Internet 
Explorer, you should erase not only the history 
that appears in the History bar but also the 
AutoComplete history that Internet Explorer uses 
to simplify your use of forms and logon screens. 
To take this additional step, follow this procedure: 


1. Choose Tools, Internet Options and 
click the Content tab. 


2. On the Content tab of the Internet 
Options dialog box, click 
AutoComplete. 


3. In the AutoComplete Settings 
dialog box, click Clear Forms and 
Clear Passwords. 


4. To turn off AutoComplete, clear all 
the check boxes in the 
AutoComplete Settings dialog box. 


Turning Off Inline AutoComplete in 
Internet Explorer 


Internet Explorer can remember URLs that you’ve 
typed before and assist you in retyping them. To 
keep the program from assisting someone else in 
retyping them, you'll want to turn off this feature. 
Follow these steps: 


1. Choose Tools, Internet Options and 
click the Advanced tab. 


2. On the Advanced tab of the 
Internet Options dialog box, clear 
Use Inline AutoComplete (near the 
bottom of the Browsing section). 


Clearing Your Recent Documents List 


The Windows Start menu can be configured to 
display shortcuts to the 15 documents you've 
used most recently. The items that appear there 
are derived from the folder 
%UserProfile%o\Recent, which actually contains 
many more than 15 items. Anyone with physical 
access to your computer who wants to see ata 
glance what you've been up to lately can get a 
quick snapshot by viewing the contents of this 
folder. 


One quick way to clear out your recent document 
history is to go straight to the folder by opening 
the Run dialog box and typing recent. Delete all 
the files you find in the folder. (If you open the 
%UserProfile% folder and can’t see the Recent or 
My Recent Documents folder, be sure that 
Windows Explorer is set to display items with the 
Hidden attribute.) 


You can also delete the cache of recent 
documents (including everything in the My 
Recent Documents folder, not just the 15 items 
shown on the Start menu) as follows: 


In Windows XP: 


1. Right-click the Start button or 
taskbar and choose Properties. 


2. On the Start Menu tab of the 
Taskbar And Start Menu Properties 
dialog box, click Customize. 


3. On the Advanced tab of the 
Customize Start Menu dialog box, 
click Clear List. (If you use the 
classic Start menu, click Clear in 


the Customize Classic Start Menu 
dialog box.) 


In Windows 2000: 


1. Right-click the taskbar and choose 
Properties. 


2. On the Advanced tab of the Taskbar 
And Start Menu Properties dialog 
box, click Clear. 


Clearing the list of recent documents 
also clears the most-recently-used list 


maintained by the Start menu’s Run 
command. 


Eliminating Recent Document History 
on Exit 


With a Group Policy setting, you can eliminate the 
menu of recently used documents automatically 
every time you quit Windows. To do this, open 
Group Policy (at a command prompt, type 
gpedit.msc) and enable the setting User 
Configuration\ Administrative Templates\Start 
Menu And Taskbar\Clear History Of Recently 
Opened Documents On Exit. To turn off this 
automatic cleansing, disable the same setting or 
set it to Not Configured (its default state). 


For information about using Group 
Policy, see Chapter 19, “Managing 


Security Templates.” 


Wiping data from unused areas of 
a disk 


Someone with the knowledge, desire, 
and proper tools can examine files on 
your disk even after you’ve deleted 
them. By default, files that you delete 
go to the Recycle Bin. Recycle Bin is 
actually a hidden folder; deleting files 
merely moves them to that folder. A 
determined snoop with access to your 
computer can paw through your trash 
to dig up the dirt. If you’re concerned 
about such access, configure Recycle 
Bin so that deleted files don’t go 
there. (Right-click Recycle Bin and 
choose Properties. On the Global tab, 
select Do Not Move Files To The 
Recycle Bin.) If you don’t want to lose 


the benefit of Recycle Bin protection 
altogether, get in the habit of 
emptying the Recycle Bin before you 
log off. 


However, your deleted files can still be 
dredged up, even if they’re no longer 
in Recycle Bin. That’s because when 
you delete a file, Windows actually 
deletes only the file’s directory entry; 
the file’s data remains intact until 
another file uses its space. To prevent 
your files from being viewed by 
someone with file-recovery tools, you 
need a file-wiping utility. The version 
of Cipher.exe included with Windows 
XP and Windows 2000 SP2 or later 
performs this task nicely: it overwrites 
all the unused areas of a drive with 
zeros, then fills all unused bits with 
ones, and finally overwrites all unused 
areas with random numbers. To wipe 
unused data, open a Command 
Prompt window and type 
cipher/w:directory, where directory 
is the name of a folder—any folder— 
on the drive you want to wipe. The 
easiest way to wipe the current drive 
is to type cipher /w:.(a period is 
command-line shorthand for the 
current folder). To wipe a different 
drive, include the drive letter (for 
example, cipher /w:e:\). 


Eliminating Applications’ Most- 
Recently-Used Lists and the Recent 
Documents Menu 


A second Group Policy setting, considerably more 
powerful than the one just described, not only 
empties the Start menu’s list of recent 
documents; it also performs a “memory charm” 
on supporting applications (including those of 
Microsoft Office and other third-party applications 
certified for Windows 2000 or later versions) so 
that they no longer display your most recent 
selections on the File menu. The policy setting is 
User Configuration\Administrative 
Templates\Start Menu And Taskbar\Do Not Keep 
History Of Recently Opened Documents. 


When you enable this setting, Windows retains its 
knowledge of your recent documents but does 
not communicate it to the Start menu or 
supporting applications. If you subsequently 
disable the setting (or set it to Not Configured), 
the menu items that had been suppressed 
reappear. 


Beware the persistence of memory 


Not all programs lose their most- 
recently-used lists when you enable 
Do Not Keep History Of Recently 
Opened Documents. Not even all 


Microsoft programs do this. (Microsoft 
Paint does not, for example). Be sure 
that the program whose history you 
want to cover responds to this setting 
before you rely on it. 


Contrary to the descriptive text in 
Group Policy, enabling Do Not Keep 


History Of Recently Opened 
Documents does clear the most- 
recently-used list maintained by 
common Open and Save As dialog 
boxes. 


Using Third-Party Cleansers 


A variety of third-party products can help you 
rewrite history. To erase evidence of your 
Internet activities (and eliminate undesirable 
cookies as well), we recommend PurgelE (from 
Assistance and Resources for Computing, Inc., 
http://www. aandrc.com/purgeie). PurgelIE can 
eliminate temporary Internet files, history 
folders, visited URLs, typed URLs, and more—on 
demand or every time you start Windows. 


For more global cleaning operations, covering 
Windows in general as well as Internet Explorer 
and Netscape/Mozilla, the most highly regarded 
program is Window Washer (from Webroot.com, 
http://www. webroot.com/washerl12.htm). 
Window Washer erases your document history, 
the most-recently-used list maintained by the 
Windows Search command, the temporary files 
created by Scandisk, the various Microsoft Office 
most-recently-used lists, and more. You can even 
download custom plug-ins for eliminating most- 
recently-used lists held by a long list of third- 
party programs. 


Whatever cleanup measures you take, if you 
really care about keeping your computing 
activities private, don’t forget the obvious: Use 
strong passwords, lock your workstation when 
you step away, and put an old-fashioned lock on 
your office door. 


Part 3 


Protecting Your Network 


Chapter 14 


Network Security 101 


Securing a stand-alone computer is challenging 
enough, but when you begin connecting 
computers in a network, the security risks 
increase dramatically. Setting up a secure 
network requires that you strike a delicate 
balance between providing authorized users with 
easy access to shared resources and locking out 
those who have no business poking around in 
your files. 


In this chapter, we discuss procedures for setting 
up and securing a local area network (LAN) over 
which you have administrative rights. Our focus is 
on computers that are part of a small group, 
whether in your home, in a small office, or in a 
department within a larger enterprise. In this 
scenario, users often have a need to share some 
resources freely and a corresponding need to 
protect personal and confidential information 
from other users on the same network. (On large 
networks, you’re more likely to be part of a 
Microsoft Windows domain, with dedicated 
servers and a staff of support professionals 
whose sole job is keeping the network running 
smoothly. ) 


After your LAN is up and running, you can choose 
one of several ways to configure the network so 
that all computers can access the Internet, 
making it a wide area network (WAN). Although 
we briefly touch on issues related to the LAN-to- 
WAN connection in this chapter, a full discussion 
of the subject is in Chapter 15, “Sharing_an 
Internet Connection.” 


Security Checklist 


Don’t let your network fall prey to 
outside attackers. Follow these steps 
to secure your borders. 


e On a computer running 
Windows XP, use the 
Network Setup Wizard to 
configure your network 
properly. This wizard 
sets permissions, 
enables file sharing, 
configures the Guest 
account, and turns on 
the Internet Connection 
Firewall, if needed. 


e If you share an Internet 
connection through a 
hub or switch (not a 
recommended 
configuration) disable 
sharing on TCP/IP and 
install IPX/SPX instead. 


e Disable file sharing on 
your Internet 
connection. 


e On a computer running 
Windows XP 
Professional, consider 
disabling Simple File 
Sharing for extra 
security. 


e Don’t share the root 
folder of any drive 
unless that drive 
contains only 
nonsensitive data files. 


e On systems that contain 
extremely sensitive 
data, consider disabling 
all administrative 
shares. 


Building a Network with 
Security in Mind 


Even for Windows experts, network security is a 
challenging and demanding area of technology. 
Oh, sure, it’s easy to get started. Thanks to 
cheap and ubiquitous hardware and fill-in-the- 
blanks wizards, just about anyone can combine 
two or three computers running Windows into a 
local area network in a matter of minutes. 
Ensuring that your network stays secure, 
however, requires constant attention. Although 
you don’t necessarily need to earn your 
credentials as a Microsoft Certified Systems 
Engineer to manage a network, your chances of 
success improve greatly if you have a solid 
understanding of network hardware, 
communications protocols, TCP/IP addressing, 
and access controls. 


In general, you should ask the following 
questions when setting up a local area network: 


Is the network physically secure? Just as with 
a stand-alone computer, physical security should 
be your first priority. On a home network, this 
might not be a pressing concern, but in a small 
business or department, you should guard 
against the possibility of an attacker plugging into 
the network and using “sniffer” software to 
eavesdrop electronically on your network 
communications. 


Are shared network resources adequately 
protected? Your goal is to restrict access to 
shared resources (files, folders, and printers) so 
that only authorized users can connect to those 
resources across the network. To do so, you need 
to ensure that you have set up the proper mix of 


accounts on each computer that contains shared 
resources, with administrative accounts limited 
only to trusted users. You can then assign 
appropriate permissions for the shared resources, 
using a combination of share permissions and 
NTFS file permissions. Because the sharing 
security model varies in different versions of 
Windows, this task might be more complicated 
than it appears. 


Do you need to administer your network 
from a central location? Trying to manage a 
business network that consists of more than 10 
computers can run anyone ragged, especially if 
the computers are in separate locations. If your 
network has outgrown the “workgroup” label, 
you'll need to create a Windows domain with at 
least one computer running Windows 2000 
Server or Windows .NET Server. A Windows 
domain supplies some powerful security features, 
including the ability to enforce security policies 
through Active Directory, a database of user and 
group accounts that is available to all computers 
on the network. Peer-to-peer networks— 
consisting of computers running any combination 
of Windows XP Professional, Windows XP Home 
Edition, Windows 2000 Professional, or Windows 
95/98/Me—can be configured to be extremely 
secure, although administration is more difficult. 


Is your private network secured from 
unauthorized access via the Internet? 
Firewalls, routers, and access control policies can 
safeguard your network from outside intruders, 
but only if they’re properly installed and 
configured. Likewise, remote access software can 
provide an open door that outsiders can use to 
connect to individual computers on your network, 
at which point they are free to access any 


network resource. (See Chapter 15, “Sharing_an 
Internet Connection,” for information on how you 
can prevent unauthorized access to your local 
network. ) 


Configuring Network Hardware 


These days, the overwhelming majority of small 
networks are built around the Ethernet and Fast 
Ethernet standards. (The most common 
alternative is the increasingly popular IEEE 
802.11b standard, also known as Wi-Fi, and a 
group of similar technologies that operate at 
higher speeds. You can read about the security 
issues that are unique to wireless networks in 
Chapter 16, “Wireless Networking_and Remote 
Access.”) Some home networks use alternative 
networking technologies (HomePNA and 
HomePlug, for instance) that communicate over 
phone or power lines. Regardless of the specific 
technology used, however, the basic networking 
concepts work in much the same way. 


For starters, every computer needs a network 
adapter (also called a network interface card, or 
NIC) to communicate with the other computers 
on the network. These adapters can be internal 
(usually installed in a PCI slot or, on a portable 
computer, in a PC Card slot) or external (typically 
connected to a USB port). To connect multiple 
computers in an Ethernet network, you need a 
hub or switch (which is sometimes integrated into 
a router or residential gateway). 


Routers and firewalls are essential components of 
a secure network, and the differences between 
different hardware designs are profound. (We 
discuss these options in more detail in Chapter 
15, “Sharing_an Internet Connection.”) By 
contrast, most network adapters and hubs are 
interchangeable from a security standpoint, with 
one noteworthy exception: if you use IPSec 
(Internet Protocol Security) to encrypt traffic on a 
local area network, you may benefit from 


products such as Intel’s PRO/100 S and 3Com’s 
10/100 Secure NIC, both of which incorporate 
separate coprocessors designed to perform IPSec 
encryption on the network card without 
overtaxing the computer’s CPU. For all other 
network needs, any Windows-compatible 
Ethernet card should be sufficient. (For more 
information about using and configuring IPSec, 
see Restricting Ports Using IP Security.) 


One attribute of every standard Ethernet card has 
the potential to affect your network’s security and 
your personal privacy. The Media Access Control 
(MAC) address is a 48bit code that uniquely 
identifies your Ethernet adapter. The MAC 
address consists of 12 hexadecimal digits (using 
the numbers 0-9 and the capital letters A-F), 
broken into 6 two-digit groups. In Windows 2000 
and Windows XP, you can view the MAC address 
for a specific Ethernet adapter by entering 
ipconfig /all in a Command Prompt window. In 
Windows XP, you can view this information in the 
status dialog box for the network connection in 
question by following these steps: 


1. From Control Panel or the Start 
menu, open the Network 
Connections folder. 


2. Double-click the connection icon (or 
right-click and choose Status from 
the shortcut menu). 


3. On the Support tab, click the 
Details button. The MAC address 
appears on the first line, in the field 
labeled Physical Address. 


Decode a MAC address 


MAC addresses are not randomly 
assigned. The first half of the address 
(6 hexadecimal digits, or 24 bits) 
consists of an Organizationally Unique 
Identifier (OUI) that is specific to the 
manufacturer of your Ethernet card. 
These vendor codes are assigned by 
the Institute for Electrical and 
Electronic Engineers (IEEE), which 
maintains a searchable database of 
OUIs at 
http://standards.ieee.org/regauth/oui/ 
index.shtml. For more information and 
some excellent links to detailed 
technical information on MAC 
addresses, see Charles Spurgeon’s 
Ethernet Web site at 

http://www. ethermanage.com/ethern 
et/descript-troubleshoot.html. 


In Windows XP, you can also use the command- 
line utility Getmac to return the MAC addresses 
for one or more network adapters on a system. 
This command has one big advantage—you can 
run it remotely to gather this information from a 
group of network computers without leaving your 
desk. Unfortunately, if you have more than one 
Ethernet adapter in a given system, the results 
are inscrutable, because the output of the 
command associates each MAC with an Ethernet 
GUID rather than a name. To see the full syntax 
for this command, open a Command Prompt 
window and type getmac /?. 


Because each MAC address is (in theory, at least) 
unique to a specific hardware device and is 
transmitted with every TCP/IP packet, network 
managers can use this information for two 
purposes: 


e Using software, a network can be 
configured to allow or deny access 
based on MAC addresses. Many 
cable companies restrict users in 
this fashion by configuring the 
broadband connection to work with 
only a specific MAC address. If you 
replace your network adapter or 
install a router, you need to call the 
cable company and register the 
new MAC address. Similarly, some 
routers and wireless access points 
allow you to designate which MAC 
addresses are allowed to send and 
receive data through that device, 
rejecting packets from other 
addresses. 


The former restriction is annoying; 
the latter seems like a promising 
addition to your security arsenal. 
Unfortunately, both solutions fall 
apart quickly because of the ease 
with which MAC addresses can be 
“spoofed.” Changing the MAC 
address of the router so that it 
matches the address of the 
Ethernet card in your computer 
leaves your broadband 
configuration unchanged, even 
though you've actually added an 
entire network behind the router. 
Most Ethernet routers allow you to 
change their unique address 
through a menu. Figure 14-1, for 
instance, shows an advanced setup 
screen from an SMC Barricade 
router; clicking the Clone MAC 
Address button copies the address 


from the Ethernet adapter in the 
computer. 


“-Figure 14-1. Most routers 
allow you to change the MAC 
address using a menu 


By examining the logs of a router 
or a Web server, an administrator at 
another network may be able to 
monitor your actions on the 
Internet. In this scenario, the MAC 
address functions much like a 
browser cookie, except that it 
remains identical as you surf from 
site to site. Fortunately, MAC 
addresses are routinely stripped 
from packets at the first router they 
encounter; as a result, most Web 
sites will never see your MAC 
address. This information will, of 
course, always be available to your 
Internet service provider. 


Protocols and Other Software 
Components 


TCP/IP (Transmission Control Protocol/Internet 
Protocol) is the default network protocol in 
Windows 2000 and Windows XP. It provides easy 
connectivity across a wide variety of networks, 
including the Internet. Although TCP/IP has 
plenty of options you can configure, most users 
will accept the default settings without making 
any configuration changes. If you choose to use 
TCP/IP, you can take advantage of the full 
complement of security tools we describe 
elsewhere in this book, including IPSec and the 
Internet Connection Firewall in Windows XP. 


If you’re like most people, TCP/IP is the only 
protocol you'll ever need. It works exceptionally 
well on networks of all sizes, it’s fast, and you 
can tighten its security with an impressive array 
of tools from Microsoft and third parties. We think 
your network is perfectly safe and secure if you 
configure it to use TCP/IP, add a personal firewall, 
and install security patches as needed. Most 
security experts agree—but like so many topics, 
this opinion is far from unanimous. If you spend 
enough time browsing security-related Web sites, 
you'll encounter plenty of conflicting opinions 
about which protocols are safe and which are 
insecure. 


A small but extremely vocal minority of security 
experts argues that TCP/IP is inherently unsafe. 
They claim that the greatest strength of TCP/IP— 
its ubiquitous presence on the Internet—is also 
its greatest weakness, because TCP/IP packets 
intended for use on your local network can be 
forwarded out to the Internet. You can prevent 
this from happening by installing a hardware 


router or residential gateway, as described in 
“Sharing_an Internet Connection Through 
Hardware,” or by using Internet Connection 
Sharing, as described in “Sharing_an Internet 
Connection Through Software.” In either of these 
configurations, you’re perfectly safe. You can 
keep TCP/IP installed as your only network 
protocol, and you can skip the rest of this 
section. 


What if your network configuration does not 
include a dedicated router but instead uses a 
simple hub or switch that connects all the 
network’s computers to each other and to the 
Internet? In this configuration, your entire 
network is public, and every computer is open to 
outside attacks. If you absolutely insist on setting 
up your network this way, you need to protect 
yourself, with one of the following two options: 


e On each networked computer, 
install a third-party firewall such as 
ZoneAlarm or ZoneAlarm Pro 
(http://www.zonelabs.com). Define 
a local zone that includes all your 
local computers and allows them to 
access shared resources. (The built- 
in firewall in Windows XP will not 
work for this purpose because it 
cannot selectively allow or deny 
packets based on their IP 
addresses. ) 


e Disable file and printer sharing on 
the TCP/IP protocol for each 
computer on your network and 
instead enable sharing using the 
NetBEUI or IPX/SPX protocol. Then 
install a personal firewall on each 


computer to block outside TCP/IP 
traffic. This configuration is 
considerably more complex, but it’s 
secure and doesn’t require any 
additional investments in hardware 
or software besides the Windows 
operating system. Because neither 
protocol is installed by default in 
Windows 2000 or Windows XP, 
setting up this configuration is a 
two-step process: first, install the 
protocol you want to use instead of 
TCP/IP on your local network; 
second, disable file and printer 
sharing on the TCP/IP protocol and 
allow it on the alternative protocol. 
The same alternative protocol must 
be installed on all computers you 
want to use on the local network. 


IPX/SPX or NetBEUI? 


If you search the Web for advice on 
the correct network configuration for 
your computer, you'll undoubtedly find 
countless sites that recommend 
installing NetBEUI as an alternative 
protocol to TCP/IP. That’s not bad 
advice, but it’s based on a computing 
worldview that is no longer accurate. 
A little history helps explain why we 
think IPX/SPX is a better choice today 
if you insist on using an alternate 
protocol to TCP/IP. 


NetBEUI (the acronym stands for 
NetBIOS Extended User Interface and 
is pronounced net-booey) was 
originally developed in the 1980s for 


use with IBM’s LAN Server and 
Microsoft’s LAN Manager network 
operating systems. It was the default 
protocol used in Windows 95. Because 
NetBEUI was tuned for use on small 
networks, it was exceptionally speedy 
and required few resources, making it 
ideal for the computers of its day. 
NetBEUI cannot be used on Remote 
Access Service (RAS) connections. 


IPX/SPX (the acronym stands for 
Internetwork Packet 
Exchange/Sequenced Package 
Exchange) was developed in the 
1980s for use with Novell’s NetWare 
operating system, which explains why 
Microsoft’s version of this protocol is 
known as NWLink. It’s more robust 
than NetBEUI, and for years it was 
essential on corporate networks, 
where NetWare was the standard. 


Today, NetBEUI is officially orphaned— 
if you upgrade to Windows XP from a 
previous version of Windows, the 
Setup program removes the NetBEUI 
protocol and you have to reinstall it 
manually. Microsoft no longer provides 
technical support for computers 
running NetBEUI, and all development 
has ceased on this protocol. IPX/SPX, 
on the other hand, is still actively 
supported and developed. Because 
installing either protocol accomplishes 
the same goals on a small network, 
we recommend choosing the one that 
offers the fewest configuration and 
support headaches: IPX/SPX. 


Using NetBEUI or IPX/SPX in place of 
TCP/IP makes your network more 
difficult to break into, but it doesn’t 
provide perfect protection. Even if you 


take this precaution, you should still 
exercise all the other safeguards we 
recommend in this book, including the 
use of strong passwords, NTFS 
permissions, and firewalls. 


Installing IPX/SPX or NetBEUI on 
Windows XP 


To install IPX/SPX or NetBEUI on a computer 
running Windows XP, follow these steps: 


1. Open the Network Connections 
folder in Control Panel (if you’re 
using Category view, you'll find this 
icon under Network And Internet 
Connections). 


2. Right-click the icon for the adapter 
that connects your computer to the 
local network (the default name is 
Local Area Connection), and choose 
Properties. 


3. Click the Install button. 


4. In the Select Network Component 
Type dialog box, choose Protocol 
and then click Add. 


5. In the Select Network Protocol 
dialog box, choose the protocol you 
want to add: 


e To install IPX/SPX, 
select NWLink 


IPX/SPX/NetBIOS 
Compatible Transport 
Protocol and click OK. 


e To install NetBEUI, 
insert the Windows 
XP CD into your CD- 
ROM drive, click the 
Have Disk button, and 
then browse to the 
\Valueadd\Msft\ 
Net\Netbeui folder. 
Click Open, and then 
click OK. Click OK 
when you see the 
dialog box that warns 
you that the driver is 
not digitally signed. 


6. After verifying that the new 
protocol has been successfully 
added, click Close. 


If you installed IPX/SPX, it is not necessary to 
restart your computer. If you installed NetBEUI, 
you must restart to begin using the new protocol. 


Don’t overcomplicate the 
installation 


Microsoft Knowledge Base article 
Q301041, “How to Install NetBEUI on 
Windows XP,” details a cumbersome 
nine-step process for adding the 
unsupported NetBEUI protocol to your 
computer. This overly complex 
procedure isn’t necessary; just have 
the CD on hand, and you can install 
the alternative protocol on the fly, 
without any hassle. 


Installing IPX/SPX or NetBEUI on 
Windows 2000 


To install IPX/SPX or NetBEUI on a computer 
running Windows 2000 Professional, follow these 
steps: 


1. Click Start, Settings, Network And 
Dial-Up Connections. 


2. Right-click the icon for the adapter 
that connects your computer to the 
local network (the default name is 
Local Area Connection), and choose 
Properties. 


3. Click the Install button. 


4. In the Select Network Component 
Type dialog box, choose Protocol 
and then click Add. 


5%In the Select Network Protocol 
dialog box, select the new protocol 
you want to install (NetBEUI 
Protocol or NWLink 
IPX/SPX/NetBIOS Compatible 
Transport Protocol) and click OK. 


6°°After verifying that the new 
protocol has been added 
successfully, click Close. You don’t 
need to restart your computer. 


Disabling File Sharing over TCP/IP 
Follow these steps to disable file and printer 


sharing on the TCP/IP protocol and allow it on the 
IPX/SPX or NetBEUI protocol: 


1. From Control Panel, open the folder 
that contains your network 
connection icons. In Windows XP, 
this is the Network Connections 
folder. In Windows 2000, this folder 
is called Network And Dial-Up 
Connections. 


2. From the Advanced menu, choose 
Advanced Settings. 


3. In the Advanced Settings dialog 
box, select the connection that is 
used for Internet and local network 
access. (The default name is, not 
surprisingly, Local Area 
Connection.) 


4. In the Bindings For Local Area 
Connections box, locate the entry 
for Internet Protocol (TCP/IP) under 
File And Printer Sharing For 
Microsoft Networks and then clear 
the check box to its left. Figure 14- 
2 shows what the result should look 
like in Windows XP. 


“-Figure 14-2. If all computers 
on the local network connect to 
the Internet and to each other 
directly, use this configuration 
to avoid security problems. 


5. Click OK to save your changes, and 
close the Advanced Settings dialog 
box. 


When this configuration is in effect, all 
communication between computers on your 
network will take place using the nonroutable 
protocol you selected (in this case, IPX/SPX). All 


communications to locations outside your local 
network—in other words, to the Internet—will use 
TCP/IP and will be protected by your firewall. 


Restricting Network Access to 
Files and Folders 


Sharing files over a network is usually a fairly 
simple process, at least the mechanics of it: Open 
the properties dialog box for a folder, select a 
check box, give the shared resource a name to 
identify it over the network, and wait for other 
network users to connect to the shared resource. 


Sharing files securely over a network is a 
different story. Different versions of Windows 
offer different mechanisms for sharing files, and 
the task becomes even more complicated when 
computers on a network use various versions of 
Windows. If you’re concerned about restricting 
access to shared folders on a Windows network, 
read this section carefully. 


Windows Sharing and Security Models 


How do you control access to shared files and 
folders? Different versions of Windows offer 
distinctly different sharing models. 


Simple File Sharing. Simple File 
Sharing is the default configuration 
on all installations of Windows XP 
(except on computers running 
Windows XP Professional that are 
joined to a domain). In this 
configuration, you share folders and 
printers by selecting a single check 
box; Windows XP sets the 
appropriate shared resource 
permissions and (on volumes 
formatted with NTFS) file 
permissions. With Simple File 
Sharing, Windows uses the Guest 
account to authenticate all network 
logons. As a result, shared 
resources are accessible to all 
network users; you cannot 
selectively set permissions so that 
some users have access and others 
are locked out. 


Classic sharing. The classic 
sharing model is used on computers 
running Windows 2000 and on 
those running Windows XP 
Professional with Simple File 
Sharing disabled. (In Windows XP 
Home Edition, Simple File Sharing 
cannot be disabled.) When you 
Share a folder, you have the option 
to set access permissions on a per- 


account basis; by combining these 
permissions with NTFS file 
permissions, you can tightly control 
access to a shared folder. You can 
set varying permissions for 
individual users or groups (allowing 
full control to some, read-only 
access to some, and locking out 
others altogether, for example). You 
can also limit the number of 
simultaneous connections. This 
additional flexibility comes at the 
cost of complexity, however. You 
not only need to understand the 
sometimes confusing mix of 
permissions and how to set them, 
but also need to set up local 
accounts on each computer for 
users who should be allowed 
network access. 


Share-level access control. If 
any of the computers on your 
network are using Windows 
95/98/Me (or if you recently 
upgraded from one of these older 
versions of Windows), you might be 
familiar with a third sharing model. 
In a workgroup setting, these 
operating systems control access to 
shared resources by using 
passwords (one for read-only 
access and one for full access). 
When a network user tries to 
connect to a shared resource, 
Windows requests a password. 
Which password the user enters— 
the full control password, the read- 
only password, or an incorrect 


password—determines the user’s 
level of access to the share. 
Windows makes no attempt to 
determine who the user is; 
therefore, any user on the network 
who obtains (or guesses) the 
password has access to the share. 


Anyone who upgrades from Windows 95/98/Me to 
Windows 2000 Professional or Windows XP is 
practically certain to be confused by the sudden 
shift in sharing models. Instead of using a single 
password to allow full access to a particular 
shared folder or printer, Windows 2000 and 
Windows XP employ user-level access control, 
which means that each shared resource allows 
access only by specified user accounts. To gain 
access to a shared resource over the network, a 
user must be authenticated using the credentials 
of an account that has access to the share. If 
Simple File Sharing is enabled, the only account 
used is the Guest account, which requires no 
password. 


For more details about Simple File 
Sharing, including instructions on how 


to disable it, see Viewing_and 
Changing NTFS Permissions. 


Understanding how Windows controls access to 
shared folders can be tricky. Often, the most 
difficult challenge is understanding fully what 
permissions have been applied to a folder and 
which credentials are in use by each network 
user. Start by recognizing this fundamental 
principle: A/l network access is controlled by the 
computer with the shared resources. Regardless 
of what operating system is in use on the 
computer attempting to connect to a network 


share, it must meet the security requirements of 
the computer on which the resource is shared. 


Simple File Sharing in Windows XP 


Windows XP Home Edition uses Simple File 
Sharing exclusively. Windows XP Professional can 
use either Simple File Sharing or classic sharing. 
When Simple File Sharing is enabled, the 
following settings are in effect for any folder you 
designate as shared: 


e Share permissions. The built-in 
Everyone group has Full Control or 
Read access, depending on the 
Sharing tab setting. 


e NTFS permissions. The Everyone 
group (which includes the Guest 
account) has Modify or Read & 
Execute access, depending on the 
Sharing tab setting. 


e How to connect. All network users 
are authenticated as Guest and 
therefore can open any shared 
folder simply by double-clicking its 
shortcut in Windows Explorer. 


When Simple File Sharing is in use, you cannot 
selectively protect shared resources over a 
network. All users connecting over the network 
have identical permissions because Windows XP 
ignores their credentials and uses the Guest 
account for authentication. Clearly, this 
configuration is not appropriate for all networks. 
It is probably sufficient on most home networks, 
where users can be trusted and the most 
common use of sharing is to expand access to 


digital music and other media files. In business 
networks, however, the limitations of Simple File 
Sharing are sufficient to disqualify Windows XP 
Home Edition for use on any computer on which 
selective access to shared resources is necessary. 


Classic Sharing in Windows XP 
Professional and Windows 2000 


Compared with Simple File Sharing, the classic 
sharing model is far more powerful—and more 
complex. Classic sharing, which is available only 
in Windows XP Professional and Windows 2000 
Professional, allows you to specify different levels 
of access to resources on your computer based 
on user and group accounts. You can specify 
which users can access each resource (instead of 
allowing access to everyone on the network) and 
what permissions they have (instead of allowing 
the same access—modify or read-only—to 
everyone who connects over the network). When 
classic sharing is in use, the following settings are 
available for shared folders: 


e Share permissions. By default, 
the Everyone group has Full 
Control. Administrators on the 
sharing computer can grant or deny 
permissions to any user or group. 


e NTFS permissions. By default, a 
folder inherits the permissions of its 
parent folder, but administrators on 
the sharing computer can grant or 
deny permissions to any user or 
group. 


e How to connect. If your local 
account has the same user name 


and nonblank password as an 
account on the sharing computer, 
you're authenticated using that 
account and therefore have the 
access privileges granted to that 
account. If your local account does 
not match one on the sharing 
computer, you’re authenticated as 
Guest and therefore have only the 
access privileges explicitly granted 
to Everyone or Guest. (If the Guest 
account is disabled on the sharing 
computer, only users with an 
account matching a local account 
can connect to the share.) 


Classic sharing is the only option available for 
Windows 2000 Professional. To enable classic 
sharing in Windows XP Professional, go to Control 
Panel and open Folder Options (in the Appearance 
And Themes category), click the View tab, and 
clear the Use Simple File Sharing 
(Recommended) check box. 


Classic sharing imposes three fundamental 
changes in the way you control network access: 


e You specify shared resource 
permissions on a per-user basis. 
(Simple File Sharing sets shared 
resource permissions only for the 
Everyone group.) 


e If the shared folder is on an NTFS 
volume, you specify access control 
lists (ACLs) for each object in the 
share. (Simple File Sharing sets 
NTFS permissions only for the 
Everyone group and hides the 
ability to view or modify ACLs.) 


e Users who connect to your 
computer over the network are not 
automatically authenticated as 
Guest. If a network user’s user 
name and nonblank password 
match the user name and password 
of an account on your computer, 
Windows authenticates the user as 
the local account. If the user name 
and password of the network user 
do not match a local account, he or 
she is authenticated as Guest. 


How Shared Resource Permissions 
and NTFS Permissions Work 
Together 


On the surface, shared resource 
permissions and NTFS permissions are 
confusingly similar. In fact, avoiding 
this confusion is the primary reason 
that Microsoft introduced Simple File 
Sharing in Windows XP. If you use 
Windows 2000 or if you demand the 
greater level of security that comes 
with using the classic sharing model in 
Windows XP Professional, you need to 
understand how these two separate 
levels of access control work together. 


Shared resource permissions control 
network access to a particular 
resource. Shared resource permissions 
do not affect users who log on locally. 
You set shared resource permissions 
in the Permissions dialog box, which is 
opened from the Sharing tab of a 
folder’s properties dialog box. 


NTFS permissions apply to folders and 
files on an NTFS-formatted drive and 
provide extremely granular control 
over an object. For each user to whom 
you want to grant access, you can 
specify exactly what they’re allowed to 
do: run programs, view folder 
contents, create new files, change 
existing files, and so on. NTFS 
permissions affect all users, whether 
they log on locally or from across the 
network. You set NTFS permissions on 
the Security tab of the properties 
dialog box for a folder or a file. (For 
more information, see Using NTFS 
Permissions for Access Control.) 


Only accounts that successfully pass 
both tests are granted access. It’s 
important to recognize that the two 
types of permissions are combined in 
the most restrictive way. If, for 
example, a user is granted read 
permission on the network share, it 
doesn’t matter whether the user’s 
account has Full Control NTFS 
permissions on the same folder; the 
user can only read files and cannot 
modify them when connecting over 
the network. Conversely, a user might 
have modify permissions on the 
network share, but that means 
nothing if the user attempts to open a 
file whose NTFS permissions restrict 
the user to read access only. 


An account that attempts to connect 
over the network must first have its 
shared resource credentials validated. 


The account is either denied access or 
allowed to enter with certain 
permissions, at which point Windows 
checks the NTFS permissions for the 
requested object. Based on the user’s 
access token, Windows might strip 
away (but not add to) some or all of 
the permissions granted at the first 
doorway. 


In determining the effective 
permission for a particular account, 
you must also consider the effect of 
group membership. NTFS permissions 
are cumulative; an account that is a 
member of one or more groups has 
the permissions granted explicitly to 
the individual account in addition to all 
permissions granted to each group of 
which it’s a member. The only 
exception to this rule is Deny 
permissions, which take precedence 
over any conflicting Allow permissions. 


If Windows cannot authenticate a user trying to 
connect from the network, the user sees a logon 
dialog box. (Figure 14-3 shows what you'll see if 
you're using Windows XP Home Edition to 
connect to another computer on the network.) To 
gain access, enter the user name and password 
of an account that has been granted the 
permissions you need. If this account is a local 
account on the computer that contains the shared 
resource (as is always the case in a workgroup), 
enter the user name in the form 
computername\username (for example, 
Fellini\Ed). To use a domain user account where 
your computer is not joined to the domain, use 
the form domain\username; if your computer is 


joined to the domain, you can enter the user 
name alone. If you’re using Windows XP 
Professional, the logon dialog box includes a 
check box that you can select to save the user 
name and password so that you are automatically 
authenticated whenever you connect to that 
resource. 


“-Figure 14-3. To connect to a shared folder 
on a computer using classic sharing, you 
must enter the name and password of a user 
with an authorized account. 


If you get an “access denied” error message 
instead of a logon dialog box when you try to 
connect to a shared resource, Windows cannot 
match your logon credentials to an account that 
is authorized to access the resource in question. 
This problem is inevitable if you are authorized to 
access shared resources on another computer 
using a different user name/password 
combination than the one you use to log on to 
your computer. 


If you’re running Windows XP Professional, you 
can solve this problem by storing the user name 
and password in the Protected Storage 
subsystem, where it’s available when you log on. 
If you select the Remember My Password check 
box, Windows does this automatically. You can 
also add credentials for another network 
computer manually. Here’s how: 


1. In Control Panel, open User 
Accounts. 


2. Click your name in the Pick An 
Account To Change list. 


3. Under Related Tasks, click Manage 
My Network Passwords. 


4. Click Add, and then enter the name 
of the server and a valid user name 
and password. 


“(If your computer is joined to a 
domain, the path to Stored User 
Names And Passwords is slightly 
different: in User Accounts, click 
the Advanced tab and then click 
Manage Passwords.) You might 
need to log off and log on before 
you can access the shared folder. 


If you’re using Windows XP Professional, these 
options allow Windows to save the credentials so 
that you need never enter them again to access 
the same resource. Unfortunately, the same is 
not true of Windows XP Home Edition or of 
Windows 2000. Both of these operating systems 
remember your credentials only as long as you 
remain logged on. If you log off or restart your 
computer, you need to reenter the user name and 
password to access a shared resource. With a 
little effort, you can work around these 
limitations and connect to a network share with 
an alternative user name and password. One way 
to accomplish this task is to create a batch file 
that includes the net use command, adding a 
valid user name and password at the end of the 
command. (The complete syntax is available by 
typing net use /? at a command prompt.) 
Unfortunately, this option unnecessarily 
compromises your security by storing the 
password in plain text; anyone who can find the 
batch file can open it in a text editor and learn 
your password. 


A much better option is to map the shared folder 
to a drive letter. Although this option is primarily 
designed to make browsing files easier by 


replacing a cumbersome path with a single drive 
letter, it also includes the option to pass a 
different set of credentials with which to connect 
to the network share. By mapping a share ona 
remote server and connecting to it automatically 
at startup, you can force Windows to save your 
logon credentials and reuse them for all 
connections to the same server. Follow these 
steps: 


1. In Windows Explorer, choose Tools, 
Map Network Drive. 


2. Select any available drive letter 
from the drop-down list in the Drive 
box. The exact letter doesn’t 
matter. 


3°*In the Folder box, type the path 
to the folder you want, using UNC 
syntax. 


4. Select Reconnect At Logon; this 
option instructs Windows to connect 
to this shared folder automatically 
each time you log on. 


5. Click the Different User Name link, 
enter a user name and password 
that is authorized to access the 
shared resource, and then click OK. 


6°°Click Finish. 
Shared Folders on Windows 95/98/Me 


If your network includes any computers running 
Windows 95/98/Me, they rely on passwords to 
protect shared resources. When a user 
authenticates from across the network, Windows 


ignores the user name and checks only the 
password. These settings apply to the shared 
folders: 


e Permissions. When a folder is 
shared, it can be protected with a 
password for read-only access, a 
password for full access, both, or 
neither. 


e How to connect. Any network 
user can open any shared folder 
simply by double-clicking its icon in 
Windows Explorer. If the password 
for the current user account mat 
ches the password assigned to the 
folder, the folder opens 
immediately. If not, Windows asks 
you to provide the password in a 
dialog box similar to the one shown 
in Figure 14-3. You don’t need to 
provide a user name; that box is 
disabled. 


Learn the secrets of long share 
names 


In Windows 2000 and Windows XP, 
share names can be up to 80 
characters long, including spaces and 
punctuation. In Windows 95/98/Me, 
share names are limited to a total of 
12 characters in length. If your 
network includes computers running 
different versions of Windows, you can 
take advantage of this technical 
difference to prevent users of older 
versions of Windows from accessing 
shared resources on computers 


running Windows 2000 or Windows XP. 
If you name a share Projects, for 
example, any user can see it, even 
from a computer running Windows 98. 
But if you name the share Secret 
Projects (a total of 15 characters, 
including the space), only users of 
computers running Windows 2000 or 
Windows XP can see the share. 
Because you easily prevent an 
untrusted user from logging on to 
computers running Windows 2000 and 
Windows XP, this technique is 
surprisingly effective. 


Setting Up Shared Folders 


To create a shared folder, you must be logged on 
as a member of the Administrators, Power Users, 
or Server Operators group. (After a folder has 
been shared, however, the share is available to 
network users no matter who is logged on to your 
computer—or even when nobody is logged on.) 
On a computer running Windows 2000, you can 
create a shared folder at any time. If you're using 
Windows XP, however, you must jump through 
one preliminary hoop first. 


Enabling File Sharing on Windows XP 


On a clean installation of Windows XP in a 
workgroup setup (where your computer is not 
joined to a domain), sharing is disabled. That’s 
because sharing in this configuration relies on the 
Guest account, which is disabled by default. This 
is an essential security precaution. Until you 
specifically enable sharing, anyone who attempts 
to connect to a shared resource on your 
computer sees a logon dialog box like the one 
shown in Figure 14-4. As you can see from this 
figure, the Guest account on the machine with 
the shared resource is already selected and 
cannot be changed. No matter what password 
you try to use, the connection will not succeed 
because the Guest account does not have 
permission to log on from the network. 


“-Figure 14-4. Don’t be confused by this 
dialog box—no matter what password you 
enter, you wont be able to connect over the 
network to a computer running Windows XP 
until sharing is enabled. 


The easiest way to configure your computer for 
sharing folders, files, and printers is to run the 
Network Setup Wizard. If you haven’t already 
done so, Windows prompts you to run the 
Network Setup Wizard the first time you try to 
share a folder. When you right-click a folder icon 
and choose Sharing And Security, you might see 
the warning shown in Figure 14-5, which 
indicates that sharing is currently disabled. (If 
the Sharing tab instead displays a pair of check 
boxes and a text input box, sharing is already 
enabled.) 


“-Figure 14-5. If sharing hasn't yet been 
enabled, you'll see a dialog box like this 
when you try to share a folder. 


Running the Network Setup Wizard leads you 
through a series of actions designed to install and 
configure TCP/IP, set your workgroup and 
computer names, and enable the Internet 
Connection Firewall, if appropriate for your 
network configuration. As far as sharing is 
concerned, it performs two specific actions: 


e It enables the Guest account. If you 
prefer, you can do this manually by 
typing net user guest 
/active:yes at a command 
prompt. (Note that enabling the 
Guest account does not add it to 
the Welcome screen. To do that, 
you must open User Accounts in 
Control Panel, click the Guest 
account icon, and choose Turn On 
The Guest Account. This extra step 
enables Guest—if it’s not already 
enabled—and removes the Deny 
Logon Locally user right for the 
Guest account.) 


e It removes the Guest account from 
the list of accounts with the Deny 
Access To This Computer From The 
Network user right. To perform this 
task manually in Windows XP 
Professional, you need to open 
Local Security Settings 
(Secpol.msc) and navigate to Local 
Policies\User Rights Assignment. 
This option is not available in 
Windows XP Home Edition. 


You might be curious about the link just below 
the warning text: If You Understand The Security 
Risks But Want To Share Files Without Running 
The Wizard, Click Here. If you take Windows up 
on this offer, you see the dialog box shown here. 
The top choice offers you one last chance to run 
the Network Setup Wizard. If you've already 
configured your network and don’t want to 
tamper with any other aspects of your 
connection, you can safely choose the bottom 
option, Just Enable File Sharing. Doing so enables 
the Guest account and removes it from the list of 
accounts with the Deny Access To This Computer 
From The Network user right. 


“-If you use Windows XP Professional and you 
don’t plan to use Simple File Sharing, you don’t 
need to enable sharing in the manner described 
in this section. In fact, by not enabling the Guest 
account, you can create a more secure 
environment in which only users you designate 
can access your computer’s shared resources. For 
full details, skip ahead to “Sharing_a Folder Using 
Classic Security.” 


Configuring a Shared Folder with 
Simple File Sharing 


When you use Windows XP with Simple File 
Sharing enabled, running the Network Setup 
Wizard automatically shares your computer’s 
Shared Documents folder on the network. It 
appears on other computers as SharedDocs, and 
all network users can view, modify, and add files 
in this folder. After you enable sharing, you can 
share any drive or any folder, with the following 
exceptions and limitations: 


e You cannot share the Program Files 
folder, although you can share 
subfolders within the Program Files 
folder. 


e You cannot share the Windows 
folder or any of its subfolders. 


e If you attempt to share the root 
folder of a drive, Windows first 
displays the warning shown here. If 
you are certain that you want to do 
so anyway, click the link to bypass 
the warning. 


Don’t share your system’s root 
folder! 


The warning against sharing the root 
of a drive is well-founded, especially 
on a computer running Windows XP, 
where anyone who can connect to the 
computer can potentially gain access 
to sensitive locations. Remember that 
sharing a drive shares all its 
subfolders as well; if you share the 
root of a drive, everything on the drive 
is available. And because Simple File 
Sharing allows any network user to 


access your shared resources, the full 
content of your shared drive is open to 
anyone on your network. (If the drive 
is formatted as an NTFS volume, NTFS 
permissions might be configured to 
restrict Guest access to some folders, 
however. ) 


What’s the risk? An attacker can gain 
a significant amount of control over a 
computer by placing an executable file 
in the root folder of the drive that 
contains system or boot files (typically 
C:\) or in a system folder such as 
Windows or System32. The risk is 
especially serious if the attacker can 
then convince the owner of the 
compromised system to visit a Web 
page or open an e-mail message that 
exploits an unpatched vulnerability in 
the operating system. Using a buffer 
overflow or other exploit, the attacker 
can cause the planted file to run using 
the permissions associated with the 
logged-on user—or, in a worst-case 
scenario, as the System account. 


It’s always safe to share a read-only 
volume, such as a CD drive—provided 
that the data in that location is not 
sensitive. However, the only time you 
should share the root of a hard drive 
is when you have dedicated a volume 
exclusively to storage of data and you 
want other network users to be able to 
tap that data. If you install a second 
hard disk on your computer, for 
instance, format it as drive F, and use 


it to store your digital music files, you 
can safely share the root of that drive. 
To share a folder or a drive, follow these steps: 


1. In Windows Explorer, right-click the 
icon for the folder or the drive you 
want to share and choose Sharing 
And Security from the shortcut 
menu. 


2. In the Network Sharing And 
Security box, select Share This 
Folder On The Network. 


3°"Specify a name for the shared 
resource in the Share Name box. 
(This is the name that network 
users see when they browse to 
your shared folder.) Windows 
proposes the name of the folder or, 
for a drive, the drive letter. Making 
a change here affects only the 
name visible on the network; it 
doesn’t change the name of the 
folder on your computer. 


4. By default, Windows selects the 
Allow Network Users To Change My 
Files check box, which means 
network users can create and 
modify files in your shared folder 
(subject to the limitations imposed 
on the Guest account). If you want 
to allow network users to view files 
in your shared folder and its 
subfolders but not allow them to 
create or modify files, clear this 
check box. 


When you complete these steps, all network 
users will be able to find your shared folder in 
their My Network Places folder (or in the Network 
Neighborhood folder, if they’re using older 
versions of Windows). They can also connect to 
your shared folder by entering its name in UNC 
format: \computername\sharename. After 
making the connection, they can view the folder’s 
contents and change any files or subfolders 
located there, unless you configured the shared 
folder for read-only access. With Simple File 
Sharing enabled, Windows ignores the logon 
name and password of network users and instead 
authenticates them as if they were using the 
Guest account. Thus, for folders you share over 
the network, network users have the same 
privileges as those granted to someone using the 
Guest account to log on locally. 


Behind the scenes, here’s what Windows XP does 
when you share a folder with Simple File Sharing 
enabled: 


e It creates a share and grants 
shared resource permission to the 
built-in Everyone group. (The Guest 
account is a member of the 
Everyone group.) Depending on the 
choice you make about the Allow 
Network Users To Change My Files 
option, Windows grants Read 
permission (if the option is not 
selected) or Full Control permission 
to Everyone. 


e If the shared folder is on an NTFS- 
formatted drive, Windows adds an 
entry for Everyone to the folder’s 
ACL. If Allow Network Users To 


Change My Files is not selected, the 
ACL allows Read & Execute 
permission; otherwise, the ACL 
allows Modify permission. Be aware 
that, by default, NTFS permissions 
are inherited by child objects (that 
is, files and folders in the folder, as 
well as the files and folders they 
contain). 


For details about the interaction of shared 
resource permissions and NTFS permissions, see 
How Shared Resource Permissions and NTFS 
Permissions Work Together. For information about 


Subfolders Through Inheritance. 
Sharing a Folder Using Classic Security 


On a computer configured to use the classic 
security model, you define access permissions for 
shared folders by granting permissions to user 
and group accounts. In a workgroup, these 
accounts are maintained in a security database 
on your computer; each account must have a 
nonblank password. In a Windows domain, 
information about user accounts is stored ina 
global security database on a domain controller. 
All computers in the domain refer to the domain 
controller when they need account information. 


Accounts that you intend to use for 
network access to shared folders must 
have a password. Except for the Guest 


account, Windows security prohibits 
network access by accounts with a 
blank password. 


You can share folders on your own computer with 
other users on your network. 


Set permissions before sharing 


If you’re sharing a folder on an NTFS 
drive, you should set the NTFS 
permissions as you want them before 


you Share the folder. That way, 
security restrictions are in place before 
you make the folder available on the 
network. 


To share a folder or a drive, you must be logged 
on as a member of the Administrators, Power 
Users, or Server Operators group. Follow these 
steps: 


1. In Windows Explorer, right-click the 
icon for the folder or the drive you 
want to share and then choose 
Sharing And Security from the 
shortcut menu. 


2. On the Sharing tab of the folder’s 
properties dialog box, select the 
Share This Folder option. 


3%Accept or change the proposed 
share name. 


If the folder is already 
shared, click New Share 
and then type the share 
name. Local drives 
always have a default 
administrative share 
whose share name 
consists of the drive 
letter and a dollar sign 
(for example, C$). This 
share name is not visible 
to others, and you can’t 


set permissions for the 
default share—so you'll 
want to create a new 
share. 


The share name is the name that 
other users will see in their My 
Network Places folders. Windows 
initially proposes to use the folder’s 
name as its share name. That’s 
usually a good choice, but you’re 
not obligated to accept it. If you 
already have a shared folder with 
that name, pick a different name 
instead. 


Don't let share names 
give away information 


A little curiosity is a 
dangerous thing. When 
sharing folders that 
contain especially 
sensitive data, don’t use 
share names that 
encourage a Casual 
observer to try to break 
in. Instead, choose 
codes that describe the 
contents in terms you 
can understand but that 
won't set off red flags 
for others. For instance, 
if you need to share 
payroll data with an 
accountant on your 
small business network, 
use a share name such 
as Pr-2003 instead of 
Payroll Data. A casual 


observer who sees the 
former name is likely to 
skip right over it, 
whereas anyone who 
sees the latter used as a 
share name is sure to 
mention it around the 
water cooler. 


4. Type a description of the folder’s 
contents in the Comment box. 
Although this step is optional, a 
descriptive comment is helpful to 
other users, who will see this 
information when they inspect the 
folder’s properties dialog box in 
their My Network Places folders (or 
use Details view). 


5. To limit the number of users who 
can connect to the shared folder 
concurrently, select Allow This 
Number Of Users and then specify a 
number. On a small network, this 
option is rarely needed. The default 
choice, Maximum Allowed, permits 
up to 10 concurrent users. (If you 
need to share a folder with more 
than 10 users at once, you must 
use a server version of Windows.) 


Hiding a Shared Folder 


Whether you're using Simple File Sharing or 
classic sharing, you can hide any share name so 
that it’s invisible to anyone browsing over the 
network (using the My Network Places folder or 
Windows Explorer). The secret is to append a 
dollar sign to the share name—for example, 


Projects$. Users who know the exact name of the 
shared folder can still connect to it by typing its 
name—including the dollar sign—into any place 
network paths are accepted, such as the Address 
bar, the Add Network Place Wizard, the Map 
Network Drive dialog box, and so on. They can 
also create shortcuts that open the hidden folder 
directly. 


Like many Windows security features, hiding 
share names is not foolproof and doesn’t 
guarantee that your shared folders will remain 
untouched. The convention that a share with its 
name ending with a dollar sign should be hidden 
is a function of the client computer, not the 
computer serving up the shared folder. All 
versions of Windows hide such shares, but if your 
network includes Apple Macintosh computers or 
computers running Linux, users of those 
computers can view the “hidden” shares. In 
addition, a would-be intruder who knows how to 
program in a scripting language such as Perl can 
easily enumerate all the shares on an entire 
network, hidden or not. To completely secure 
your sensitive shared data, you must also set 
permissions appropriately. 


Removing a Share 


To remove a share on a computer running 
Windows XP with Simple File Sharing, open the 
folder’s properties dialog box, click the Sharing 
tab, and clear the Share This Folder On The 
Network option. If you’re using the classic 
sharing option, select the Do Not Share This 
Folder option. 


Assigning Permissions to a Shared 
Folder 


In Windows 2000 and Windows XP, the default 
shared resource permission associated with a 
new share is Full Control to Everyone. That 
means that anyone on your network can do 
whatever they want to files stored in that 
location, including deleting or changing them. (If 
the shared folder resides on an NTFS volume, 
individual subfolders and files can have their own 
access restrictions, however.) If you use classic 
sharing, you can place limits on what particular 
users or groups of users can do with your shared 
files by clicking the Permissions button on the 
Sharing tab. This action displays the Permissions 
dialog box shown in Figure 14-6. 


“-Figure 14-6. To set share permissions, 
right-click the shared folder in Windows 
Explorer and open its properties dialog box. 
Then click Permissions on the Sharing tab. 


Follow these steps to view or set permissions: 


1. In the list of names at the top of 
the Permissions dialog box, select 
the name of the user or the group 
you want to manage. The shared 
resource permissions for the 
selected user or group appear at 
the bottom of the dialog box. 


2. Select Allow, Deny, or neither for 
each access control entry: 


e Full Control. 
Controls whether 
users can create, 
read, write, rename, 
and delete files in the 
folder and its 
subfolders. If Allow is 


selected, users can 
change permissions 
on and take 
ownership of files on 
NTFS volumes. 
Selecting this option 
automatically selects 
the corresponding 
check boxes for the 
Change and Read 
permissions. 


e Change. Allows or 
denies permission to 
read, write, rename, 
and delete files in the 
folder and its 
subfolders, but not to 
create new files. 


e Read. Allows or 
denies permission to 
read files but not 
write to, rename, or 
delete them. 


If you select neither Allow nor 
Deny, the user or group is implicitly 
denied permission to the resource. 
However, any user or group can still 
inherit the permission through 
membership in another group that 
has the permission. 


To remove a name from the Group Or User 
Names list, select it and click Remove. To add a 
name to the list, click Add to open the Select 
Users Or Groups dialog box, where you can enter 
the names of the users and groups you want to 


add. For more information about this dialog box, 
see Using NTFS Permissions for Access Control. 


Disable Guest access to shared 
folders 


Setting up a share grants permission 
to the built-in Everyone group by 
default. In Windows XP, the Guest 
account is included in Everyone, and 
because Windows authenticates 
network users who don’t have an 
account on the local computer as 
Guest, anyone on your network has 
access to a share. If you want to 
exclude anyone who does not have a 
user account on your computer, in the 
Permissions dialog box, select 
Everyone and click Remove. Then click 
Add, type Authenticated Users, and 
click OK. (The built-in Authenticated 
Users group does not include the 
Guest account.) Select Authenticated 
Users in the Group Or User Names 
box, and then select the Allow check 
box for Full Control. 


In Windows XP, files and folders that 
are created in a shared folder on an 
NTFS drive while Simple File Sharing is 
enabled are owned by the local Guest 
account. Ownership of files doesn’t 
change when you disable or enable 
Simple File Sharing. Be aware that, 
even if you change to classic sharing 
and impose tighter security on your 
shared folders, users who log on as 
Guest (locally or remotely) continue to 
have full control over files that were 


created by any remote user while 
Simple File Sharing was enabled 
(assuming they still have access to the 
shared folder). To remedy this 
situation, take ownership of the folder 
and its contents, and remove 
Everyone from the ACLs of the folder 
and its contents. 


Managing Shared Folders 


Although you can create, remove, and change 
permissions for individual shared folders from 
Windows Explorer, this technique has one 
significant disadvantage: it offers no way for you 
to quickly and effectively review the settings for 
all shared folders on a computer. You have to 
browse through the entire hierarchy of folders to 
see which ones are shared. If you forget that 
you've temporarily shared a folder, you could end 
up sharing important data. For a more centralized 
approach, use the Shared Folders snapin for 
Microsoft Management Console (MMC). 


To start the Shared Folders snap-in, open 
Computer Management (right-click My Computer, 
and choose Manage) and then navigate to 
System Tools\Shared Folders. You can open 
Shared Folders in its own console window— 
without all the clutter of Computer Management 
—by typing fsmgmt.msc at a command prompt. 
Figure 14-7 shows the Shared Folders snap-in, 
which works essentially the same under Windows 
2000 and Windows XP. 


“-Figure 14-7. Use the Shared Folders MMC 
snap-in to view and manage all shared 
folders from one central location. 


To use the Shared Folders snap-in, you must be a 
member of the Administrators or Power Users 
group. And to use it for anything other than 
merely viewing shares, sessions, and open files, 
you must have Simple File Sharing disabled 
(which means that Shared Folders is of limited 
use to anyone running Windows XP Home 
Edition). 


When you open Shared Folders, all the shared 
folders on your computer are visible in the Shares 
folder. If you use Windows XP Home Edition, you 
can view shares, sessions, and open files—period. 
If you’re using Windows 2000 or Windows XP 
Professional with Simple File Sharing disabled, on 
the other hand, you can modify the properties of 
any folder by right-clicking it and choosing 
Properties. The folder’s Properties dialog box 
appears, as shown in Figure 14-8. Notice that 
using the Share Permissions tab shown here 
achieves the same end as opening the Properties 
dialog box from a folder in Windows Explorer and 
clicking the Permissions button on the Sharing 
tab. 


“-Figure 14-8. Choose Properties in the 
Shared Folders snap-in to open a dialog box 
like this. 


Managing Administrative Shares 


A handful of the shares you see in the Shared 
Folders list are created by the operating system. 
Most of these share names end with a dollar sign 
($), which makes them “invisible” when another 
Windows user browses through the list of shares 
on your computer. They are not inaccessible, 
however. Any user who knows the name of an 
administrative share can attempt to connect to it 
simply by typing the share name at a command 
prompt rather than selecting it from the browse 
list. (Use UNC format to make such a connection: 
\computername\sharename.) If the computer 
that contains the administrative shares is running 
Windows 2000 or Windows XP Professional with 
Simple File Sharing disabled, the connection will 
be successful if the remote user supplies a user 
name and password that match the credentials of 
a local administrator. With Simple File Sharing 
enabled, however, all interactive logons to 
administrative shares are blocked. In fact, 
because Simple File Sharing cannot be disabled in 
Windows XP Home Edition, this version of 
Windows creates only the IPC$ share by default. 


In general, you cannot view or set permissions on 
administrative shares, as you can for shares you 
create; the operating system hard-wires access 
controls so that only members of the local 
Administrators group and select built-in accounts 
can connect to administrative shares. 


You can stop sharing administrative shares only 
temporarily. The share reappears the next time 
the Server service starts or you restart your 
computer. In Chapter 2, we provide instructions 
for disabling this feature so that when you delete 
an administrative share it is not automatically re- 


created the next time you restart your computer. 
(See 9. Review All Network Shares for details). 


Table 14-1 describes the administrative shares 
you are most likely to see on a computer running 
Windows 2000 Professional or Windows XP. 


Table 14-1. Administrative Shares 


AELE Description 

Name 

C$, D$, Windows creates a share for the 

E$, and root folder of every partition and 

so on volume on a local hard drive, using 
the drive letter of the volume 
(followed by a dollar sign to hide 
the share) as the share name. 
Each share allows members of the 
Administrators and Backup 
Operators groups to connect to the 
specified volume. These shares are 
often used by backup programs 
and by centralized network 
administration tools such as 
Microsoft Systems Management 
Server. 


ADMIN$ This share maps to the 
%SystemRoot™% folder 
(C:\Windows on a typical clean 
installation of Windows XP; 
C:\Winnt on a typical clean 
installation of Windows 2000). This 
share is most often used by 
remote administration programs. 


ae Description 

IPC$ Windows creates this share to 
enable interprocess 
communications (IPC) using a 
protocol called named pipes. IPC 
allows data transfer between 
programs and processes over a 
network—during remote 
administration and when viewing a 
computer’s resources, for instance. 


PRINT$ This share is used for remote 
administration of printers. 


FAX$ This share exists only if you have 
fax server software installed and is 
rarely used on desktop versions of 
Windows; it is used by clients to 
send faxes and access cover pages 
stored on the server. 


Newcomers to Windows 2000 and Windows XP 
are sometimes unnerved to learn that the 
operating system sets up administrative shares 
and makes them accessible from the network. In 
normal use, these shares are perfectly safe from 
attack. For high-security environments, however, 
expert users may choose to disable these shares. 


Creating a New Share 


Although the easiest way to share a folder is to 
start from Windows Explorer, you can also create 
a new share by using the Shared Folders snap-in. 
The Create Shared Folder Wizard is available in 
the Shared Folders snap-in only if you are using 
Windows 2000 or Windows XP Professional with 
Simple File Sharing disabled. To start the wizard, 
right-click Shares in the console tree and choose 
New File Share and then follow the prompts to 
select the folder you want to share and set up 
basic security options, as shown in Figure 14-9. 
Unlike the default share permissions applied 
when you create a share in Windows Explorer 
(whether Simple File Sharing is enabled or not), 
the wizard allows you to set different permissions 
for administrators (members of the 
Administrators group) and other users 
(Everyone). 


“-Figure 14-9. The Create Shared Folder 
Wizard provides an alternative to sharing a 
folder from Windows Explorer. 


You don’t need to open the Shared Folders 
console to get to the Create Shared Folder 
Wizard; you can run it by typing shrpubw at a 
command prompt. Surprisingly, this shortcut 
works in Windows XP (including Home Edition) 
when Simple File Sharing is enabled. 
Unfortunately, using the wizard to create a share 
with custom permissions is of no use in this 
configuration because when Simple File Sharing 
is enabled (as it is all the time in Windows XP 
Home Edition), all network users are 
authenticated as Guest. Even if you set up 
different permissions for different network users, 
Windows XP ignores these permissions and uses 


the permissions assigned to the Guest account 
instead. 


Managing Sessions and Open Files 


Each user who connects to your computer creates 
a session. Using the Shared Folders snap-in, you 
can see a list of all active sessions, revealing who 
is currently connected to the computer as well as 
what files they have open. Click Sessions in the 
console tree to have the current sessions appear 
in the details pane, as shown in Figure 14-10. 


“-Figure 14-10. The Sessions folder shows 
which network users are connected to your 
computer. 


See who is authenticated 


If you’re trying to determine why 
some users have access to certain 
folders and others don’t, it’s helpful to 
know whether they're being 
authenticated using their unique logon 


credentials or using the Guest 
account. That’s easy to do with Shared 
Folders. In the Sessions folder, the 
rightmost column is titled Guest; its 
value is either Yes (authenticated as 
Guest) or No (authenticated as named 
user). 


Click Open Files in the Shared Folders console 
tree to see a list of shared files that are currently 
open for other users. This viewing tool is 
especially useful if you’re receiving an error 
message when you try to open a file that’s in use 
by someone else. 


Besides seeing who is connected, you can 
disconnect any or all sessions and close any open 
files. That’s an effective way of kicking out 
unauthorized users when you find them 


connected to shared resources on your computer. 
Right-click a session and choose Close Session to 
close a single session. Right-click Sessions in the 
console tree and choose Disconnect All Sessions 
to close all the open sessions. You can close an 
individual file by right-clicking it and choosing 
Close Open File. You can close all the open files at 
once by right-clicking Open Files in the console 
tree and choosing Disconnect All Open Files. 
Taking any of these measures is a drastic step 
that can cause other users to lose data, so you 
should avoid disconnecting users or closing open 
files unless the situation is a genuine emergency. 


Workgroups vs. Domains 


Computers on a Windows network can be joined 
together in a workgroup or a domain. 


In a workgroup, the security database (including, 
most significantly, the list of user accounts and 
the privileges granted to each one) for each 
computer resides on that computer. When you log 
on to a computer in a workgroup, Windows 
checks its local security database to see whether 
you've provided a user name and password that 
matches one in the database. Similarly, when 
network users attempt to connect to your 
computer, Windows again consults the local 
security database. A workgroup is sometimes 
called a peer-to-peer network. 


By contrast, a domain consists of computers that 
share a security database stored on one or more 
domain controllers running a member of the 
Windows .NET Server, Windows 2000 Server, or 
Windows NT Server families. When you log on 
using a domain account, Windows authenticates 
your credentials against the security database on 
a domain controller. 


Throughout this book, we assume that your 
network does not include a domain controller. In 
a domain environment, security is managed at 
the server, and the task is significantly more 
complex than we can cover in this book. 


Nonetheless, we can point out the security- 
related differences you’re likely to encounter if 
you connect your computer to a domain-based 
network. (For a complete discussion of how to 
make Windows XP coexist with a domain, see 
Chapter 33, “Working with Windows Domains,” in 
our book Microsoft Windows XP Inside Out.) 


Logon and Logoff. The Windows XP Welcome 
screen is unavailable in a domain environment. 
Instead, you use the “classic” logon, which 
prompts you to press Ctrl+Alt+Delete and then 
enter your user name (if it isn’t already entered 
from your last session) and password. If you use 
Windows 2000, the logon procedures are identical 
except for the addition of a Domain box at the 
bottom of the Logon dialog box. 


Passwords. A domain administrator can change 
the password for your domain account. Any user 
who is a member of the local Administrators 
group can change the password for any local 
account. In Windows XP, the option to create or 
use a Password Reset Disk is not available. 


File Sharing and Security. Although the Simple 
File Sharing option is available in the Folder 
Options dialog box on a computer running 
Windows XP Professional in a domain, it has no 
effect. A computer joined to a domain uses 
classic sharing, just as in Windows 2000. (If you 
use Windows XP Home Edition, you’re stuck with 
Simple File Sharing and are unable to join a 
domain, although you can access a domain’s 
resources with the proper user name and 
password. ) 


Logon Scripts and Group Policy. In a domain 
environment, a domain administrator can set up 
scripts that run automatically each time you log 
on to your computer. These scripts, which are 
usually stored and administered on the domain 
controller, can be used to provide software 
updates, new virus definitions, and other 
information to your computer; set up network 
connections; start programs; and perform other 
tasks. Group Policy settings are centrally 
managed and can be selectively applied to 


computers, users, groups, domains, and other 
divisions. On a managed network, the combined 
effect of these features can severely limit your 
ability to control your own system’s configuration. 


Chapter 15 


Sharing an Internet Connection 


Protecting a local area network in a home or 
small office is relatively easy. You can sit down in 
front of each computer to check its security 
settings, and you can stroll down the hallway and 
see exactly who’s using each computer on the 
network. But all that changes as soon as you 
connect your network to the Internet. 


Unless you carefully consider security when 
configuring your Internet connection, you could 
end up inadvertently extending the borders of 
your local area network far beyond those you 
intended. In a worst-case scenario, where your 
Internet connection is inadequately protected and 
you haven't installed the latest security patches 
for Microsoft Windows, a stranger from halfway 
around the world could join your network, which 
would then no longer seem nearly so local. Given 
enough time and motivation, an attacker from 
the outside could poke around in confidential 
data, sabotage files, or hijack your connection 
and use it as a launching pad for attacks on other 
Internet hosts. 


As we explain in this chapter, you can choose 
from a wide range of options for connecting your 
local network to the Internet. Cost and 
complexity are the two considerations that most 
people focus on first, but we believe security 
should be at the top of your list. 


Security Checklist 


Here’s a list of steps you should be 
sure to take in securing your 
network’s Internet connection. 


Add a router or 
residential gateway to 
your network, or use 
Internet Connection 
Sharing. Either solution 
uses Network Address 
Translation (NAT) to hide 
your local computers 
from the outside world 
and thereby increase 
your network’s security. 


Disable file and printer 
sharing on your Internet 
connection. 


Add a personal firewall 
to protect your Internet 
connection from outside 
attacks. If you have 
Windows XP, the 
Network Setup Wizard 
performs this task 
automatically. 


If you have a router that 
doesn’t support 
Universal Plug and Play 
(UPnP), look for a UPnP- 
compatible firmware 
upgrade or consider 
replacing the hardware. 


Set a strong password 
on your router. 


Disable access to Web- 
based administrative 
tools from the Internet. 


Connecting Your Network to 
the Internet 


When bringing the Internet into your network, 
you can choose any of the following 
configurations: 


Each computer has its own physical 
connection to the Internet. If you're limited to 
dial-up speeds and each computer has its own 
modem and access to a telephone line, this 
option is simple, direct, and quite inexpensive. 
With broadband connections such as a cable 
modem or a digital subscriber line (DSL), the cost 
of multiple physical connections (including 
hardware for each computer) can be prohibitive, 
and the task of installing multiple connections can 
be daunting. In either case, you need to take 
extra steps to ensure that outsiders are blocked 
from accessing your network, as we explain in 
Using_Direct Internet Connections on a LAN. 


Each computer has a direct connection to 
the Internet through a network hub or 
switch. In this configuration, your external DSL 
or cable modem is plugged into a hub or switch, 
as are all computers on the network. Microsoft 
strongly recommends against using this setup, 
and so do we. For starters, it will work only if 
your Internet service provider is willing and able 
to supply separate IP addresses to each 
computer. (Some ISPs limit customers to a single 
IP address or charge extra for each additional 
address.) Because each computer is 
communicating with the Internet and the local 
network using the same TCP/IP connection, this 
configuration has the potential to leave your 
network wide open to outside attackers. If you 


understand the risks and choose this 
configuration anyway, be sure to tighten security 
by using the techniques we outline in Adding a 
Direct Internet Connection to Your LAN. 


All computers on the network are connected 
to a router or residential gateway. This 
configuration is probably the most secure you can 
choose for a small business or home network and 
is the one we strongly recommend. The hardware 
router serves as your gateway to the Internet, 
using Network Address Translation (NAT) to 
supply private IP addresses to computers on the 
local network. The router distributes all TCP/IP 
traffic from the network to the outside world and 
then routes the returning packets to their correct 
destination. To the outside world, your entire 
network appears as a single computer with its 
own IP address. We explain the best strategies 
for securing this network configuration in Sharing 
an Internet Connection Through Hardware. 


All computers on the network are connected 
to a single computer running Internet 
Connection Sharing (ICS). ICS, which has 
been a part of every version of Windows since 
Windows 98 Second Edition, transforms the 
computer that is running ICS into the functional 
equivalent of a hardware router. Like a router, 
ICS uses NAT to assign private IP addresses to 
every computer on the network and then 
manages the flow of TCP/IP traffic to and from 
the Internet. Using ICS requires that you accept 
a few compromises, most notably that you leave 
the ICS host machine turned on at all times. In 
Windows XP, ICS is tightly integrated with the 
Internet Connection Firewall (ICF); we explain 
the configuration do’s and don’ts in Sharing_an 
Internet Connection Through Software. 


How Network Address Translation 
Works 


When you connect to the Internet 
directly, using a dial-up modem or 
broadband connection, your ISP 
typically assigns you an IP address 
from a pool of addresses that it owns. 
These addresses are public; their 
location is listed in routing tables that 
are freely available on the Internet to 
guide packets of data as they move 
from point to point. When you click on 
a link to a Web page or check for new 
messages on your email server, the 
outgoing packet includes your IP 
address; the server on the other end 
of the connection sends the data to 
that address, and the Internet sees to 
it that those packets are routed to 
your computer properly. 


On a home or small office network, 
having a unique public IP address for 
every computer is unnecessary and 
possibly dangerous. By sharing an 
Internet connection instead, you can 
get by with a single public IP address 
assigned to a single hardware device 
(a computer running ICS or a router 
or residential gateway). Each of the 
computers on the local network has a 
private IP address that is not 
reachable from the outside world but 
is known to other computers on the 
local network. To communicate with 
Web sites, email servers, and other 
Internet hosts, computers on the 
network funnel their requests through 


the computer or router on the edge of 
the network—the one with a public IP 
address. As each packet goes out onto 
the Internet, the gateway machine 
makes a note of where it came from. 
When the return packets arrive, the 
gateway machine uses a technology 
known as Network Address Translation 
(NAT) to pass those packets back to 
the correct private IP address on the 
network. 


The Internet Assigned Numbers 
Authority (IANA) has reserved three 
blocks of the IP address space for use 
on private networks that are not 
directly connected to the Internet: 


e 10.0.0.0 - 
10.255.255.255 


e 172.16.0.0 - 
172.31.255.255 


e 192.168.0.0 - 
192.168.255.255 


Routers, switches, and residential 
gateways that use NAT almost always 
assign addresses from these private 
ranges. The Internet Connection 
Sharing feature in Windows XP (as in 
previous versions of Windows), for 
instance, assigns private IP addresses 
in the 192.168.0.x range (where x is a 
randomly assigned number between 1 
and 255). The RG-1000 residential 
gateway from Agere Systems assigns 
addresses in the 10.0.0.x range, and 
Linksys routers typically assign 


addresses starting with 192.168.1.x. 
Unlike public IP addresses, which must 
be unique across the entire Internet, 
private IP addresses need be unique 
only on your local network. 


Using private IP addresses offers a 
significant security advantage because 
the computer or router that is 
managing the connection via NAT can 
inspect each incoming packet and 
decide whether to forward it or drop it. 
If a computer on the local network 
requested the connection, the NAT 
gateway will forward it; on the other 
hand, if a computer outside the 
network is trying to make a hostile (or 
at least unwanted) connection, the 
gateway assumes that the traffic is 
unsolicited and discards it. 


Troubleshooting 


When you check your IP address, 
it appears in the range 
169.254.x.y and you can’t access 
the Internet. 


This range of addresses is assigned by 
your computer using a feature called 
Automatic Private IP Addressing 
(APIPA). APIPA kicks in only when no 
DHCP server is available. If you're 
using Internet Connection Sharing or a 
router or residential gateway that 
automatically assigns IP addresses, 
your computer is unable to acquire an 
IP address from the gateway. This 
problem is often caused by a faulty 
network connection or a firewall that 


is configured incorrectly. Start the 
Windows Help And Support Center (in 
Windows 2000, use Windows Help) 
and run through the troubleshooter to 
repair your network connection. 


If you use Windows 2000, you must set all 
security and sharing options for your network 
manually; in Windows XP, the Network Setup 
Wizard does the grunt work of configuring TCP/IP 
settings, installing and configuring Internet 
connections, setting up Internet Connection 
Sharing (if your network doesn’t include a router 
or residential gateway), and enabling ICF on 
Internet connections. In most cases, the wizard’s 
default settings are correct and you should avoid 
tampering with them. In a few unusual 
configurations, however, you might need to tweak 
connection settings to achieve the result you 
want. 


Using Direct Internet 
Connections on a LAN 


Is the local network connection to your computer 
physically separate from your Internet 
connection? Is the Internet connection yours and 
yours alone? If the answer to both of these 
questions is yes, your security challenge is 
simple: Make sure that data packets from outside 
can’t reach your computer (and your network) 
unless you specifically request them. To be sure 
your two connections remain separate, you need 
to disable file sharing and install a firewall on the 
Internet connection. 


Configuring a Dial-Up Connection 


By default, both Windows 2000 and Windows XP 
disable the File And Printer Sharing service when 
you create a new dial-up connection. To confirm 
that your existing dial-up connection is secure, 
follow these steps: 


1. Open the folder that contains your 
dial-up connections. In Windows 
2000, click Start, Settings, Network 
And Dial-Up Connections. In 
Windows XP, double-click the 
Network Connections icon in 
Control Panel (if you use Category 
View, look under Network And 
Internet Connections). 


2. Right-click the icon for your dial-up 
connection and choose Properties. 


3. On the Networking tab, ensure that 
the File And Printer Sharing For 
Microsoft Networks box is not 
selected. Figure 15-1 shows this 
dialog box as it appears in Windows 
2000; the Windows XP version is 
nearly identical. 


“-Figure 15-1. Make certain 
that file and printer sharing is 
disabled on any dial-up 
connections. 


Configuring a Broadband Connection 


With broadband connections, the task of 
preventing anonymous intruders from browsing 
shared folders and other resources on your LAN is 
trickier. In this configuration, you have two 
Ethernet adapters—one providing connectivity to 
your LAN, the other connecting you to the 
Internet. Windows automatically enables file and 
printer sharing on all Ethernet connections, and 
even the Network Setup Wizard in Windows XP 
does not disable sharing. Thus, your first priority 
should be to shut down this service on the 
Internet connection, while leaving it in place on 
the LAN connection. To do so, follow these steps: 


1. Open the Network Connections 
folder (Windows XP) or the Network 
And Dial-Up Connections folder 
(Windows 2000). You should see at 
least two Local Area Connection 
icons. 


2. Right-click the icon for your 
Internet connection and choose 
Properties from the shortcut menu. 


Tell your connections 
apart 


When you have two or 
more network 
connections, how can 
you tell which is which? 
Windows isn’t much help 
—it applies the generic 
label Local Area 
Connection for each one, 
tacking a number onto 


the end of the name for 
the second and 
subsequent connections. 
If the network adapter 
and the IP address don’t 
give you enough 
information, try this 
easy shortcut: Right- 
click one icon and 
choose Disable from the 
shortcut menu. Leaving 
the other icon enabled, 
try to connect to a Web 
page. If you see an error 
message in your 
browser window, you 
know that the disabled 
icon belongs to your 
Internet connection and 
the other one goes with 
your local network. If 
the page appears, the 
roles are reversed. 
Armed with this 
information, right-click 
each icon in turn and 
choose Rename; then 
enter a descriptive label 
for each one so that you 
won’t have to go 
through this rigmarole 
the next time you visit 
the Network Connections 
folder! 


3. On the General tab, clear the check 
box to the left of File And Printer 
Sharing For Microsoft Networks. 


4-Click OK to save your changes. 


Adding Firewall Protection 


After disabling file and printer sharing services, 
your next responsibility is to install a personal 
firewall to block unsolicited inbound traffic on the 
Internet connection. In Windows 2000, you must 
use a third-party product for this task because 
the operating system doesn’t include any firewall 
features. In Windows XP, you can use a third- 
party product, but you remain perfectly secure 
with the help of the built-in ICF. We explain the 
ins and outs of firewalls in Blocking Attacks with a 
Firewall, so we won’t repeat those details here. In 
this section, we focus instead on how to work 
around some of the occasionally confusing 
choices that the Windows XP Network Setup 
Wizard offers when you add an Internet 
connection to your LAN. 


To start the wizard, open the Network 
Connections folder and choose File, Network 
Setup Wizard. After you click through its two 
introductory screens, the wizard displays the 
dialog box shown in Figure 15-2. The first two 
options assume that you’re sharing an Internet 
connection over your network using either a 
hardware router or a computer running Internet 
Connection Sharing software. As we explain later 
in this chapter, this is indeed the safest and 
simplest way to add Internet access to a LAN. 


“-Figure 15-2. If your computer is 
connected directly to the Internet and a LAN, 
choose the Other option. 


If your computer has both a direct physical 
connection to the Internet and a LAN connection, 
choose the Other option and click Next. In the 
Other Internet Connection Methods dialog box, 


shown in Figure 15-3, select the top choice, This 
Computer Connects To The Internet Directly Or 
Through An Internet Hub, and click Next to 
continue. 


“-Figure 15-3. If other network users are 
not accessing the Internet through your 
computer, choose the top option from this 
list. 


The wizard next presents a list of available 
network connections, making its best guess as to 
which one represents the connection to the 
Internet. Confirm that the Internet connection is 
selected (in the example shown here, we’ve 
made identification easier by giving each network 
connection a descriptive name) and click Next to 
continue. 


“-Before completing its task, the wizard 
displays the dire warning shown in Figure 15-4. 


“-Figure 15-4. If your Internet connection is 
firewalled and you're confident that no other 
network computers have Internet access, 
you can proceed despite this warning. 


Although the warning is generally accurate, you 
may safely disregard it and continue if you meet 
either or both of the following conditions: 


e You are certain that no other 
computer on your network has an 
active Internet connection or that 
all other Internet connections are 
protected by a firewall. 


e You have disabled the TCP/IP 
protocol on your LAN connection 
and are using a non-routable 
protocol such as IPX/SPX or 
NetBEUI. 


If there is any chance that another computer on 
your network can connect to the Internet without 
the protection of a firewall, you run the risk that 
an intruder can break in to that computer and 
then access resources on your computer using 
your TCP/IP-based LAN connection. If you're 
confident this can’t happen, click Next and finish 
the wizard. After prompting you for the computer 
and workgroup names, the wizard enables the 
ICF on the Internet connection but leaves the 
network connection open so that you can share 
resources across your local network. 


Adding a Direct Internet 
Connection to Your LAN 


Safely sharing an Internet connection requires at 
least a slight investment in extra hardware. 
Routers and residential gateways cost more than 
simple network hubs or switches. The less 
expensive Internet Connection Sharing option 
requires that you install a second Ethernet 
adapter on the computer that will serve as the 
ICS host. Windows users with a broadband 
connection and a very tight budget might be 
tempted to cut corners by plugging a cable or 
DSL modem directly into the network hub or 
switch. In this configuration, every user acquires 
an IP address directly from the ISP and uses the 
same Ethernet adapter to communicate over the 
Internet and across the local network. 


Without additional precautions, this configuration 
is horrendously insecure. An intruder who breaks 
in to any computer on the network has access to 
the entire network. In Windows XP, the Network 
Setup Wizard first delivers a warning message 
(shown in Figure 15-4, earlier in this chapter) 
and then enables the Internet Connection 
Firewall. This solution eliminates the threat of 
outside attack; unfortunately, it also blocks 
communication with other computers on your 
LAN. If you insist on using this configuration, you 
should employ one of the following options to 
protect yourself: 


e Disable ICF and install a third-party 
firewall. (You'll find a list of firewall 
programs in “Choosing_a Third- 
Party Personal Firewall".) Unlike the 
bare-bones ICF, a full-featured 


firewall product typically allows you 
to define security zones. Configured 
properly, the firewall should allow 
you to freely exchange data among 
computers on the local network 
while blocking all unsolicited 
inbound traffic on the Internet 
connection. 


Disable file and printer sharing on 
the TCP/IP protocol for each 
computer on your network and 
instead enable sharing over the 
NetBEUI or IPX/SPX protocol. (This 
procedure is documented fully in 
Protocols and Other Software 
Components.) By using a protocol 
other than TCP/IP for local network 
traffic, you can leave ICF enabled, 
keeping your Internet connection 
protected while still sharing files 
and other resources. 


Sharing an Internet Connection 
Through Hardware 


The single most effective way to protect your 
local network from outside intruders is to place a 
barrier between the Internet and your LAN. 
Although businesses can justify sinking thousands 
of dollars into sophisticated hardware firewalls, 
you can protect your home or small business 
network for a fraction of that amount by installing 
a simple hardware router (sometimes referred to 
as a residential gateway). This piece of hardware 
sits between your network and your Internet 
connection (usually an external DSL or cable 
modem, although you can also use a 
conventional modem in this configuration). To the 
outside world, this gateway device looks like just 
another computer, although it’s considerably 
more secure because it does not have any 
running programs or disk storage that can be 
attacked. Because it’s always on, any computer 
can access the Internet at any time through the 
gateway device. 


What’s the difference between a 
router and a residential gateway? Very 
little, at least for today. A router is 
designed primarily for computer 
networks; its role is to sit at the edge 
of the network and serve as the 
secure interface between a local 
network and the rest of the world. 
Most products currently sold as 
residential gateways are nothing more 
than routers aimed at home users. 
Someday, residential gateways may 
take on more ambitious assignments 


and live up to their high-falutin’ name 
by integrating video, telephony, and 
home control systems with PC-based 
home networks. For now, though, you 
can consider the terms essentially 
interchangeable. 


Routers and residential gateways typically use 
NAT to assign private IP addresses to computers 
on your network, although you can also assign 
static IP addresses that are within the IANA- 
approved private IP address ranges. 


Mix and match IP addresses 


By default, most routers have DHCP 
enabled, allowing the router to 
dynamically assign IP addresses to 
computers on your network. This 
removes some of the hassles of 
administering a network, but it also 
creates problems if you want to allow 
certain ports to pass through the 
router and be sent directly to a 
specific local computer. If you power 
down the local computer for a few 
days, it may acquire a new address 
the next time it’s turned on. To work 
around this problem, you can assign 
static IP addresses to one or more 
computers on your network. Be sure 
the addresses are in the same range 
and on the same subnet as those 
assigned dynamically by your router, 
and be sure to exclude the fixed 
addresses from the list used by the 
router’s DHCP server. 


Despite what you may read in some advertising 
literature, a router is not the same as a firewall. 


A basic router is designed to do exactly what its 
name implies: route packets between networks. 
An increasing number of routers sold for use in 
home and small business networks incorporate 
features typically found in firewalls, such as 
packet filtering, port blocking, and NAT. By 
making the individual computers on your network 
essentially invisible to the outside world, the 
router accomplishes one of the key tasks of a 
firewall; but your network will be much more 
secure if you combine this hardware solution with 
a software firewall. (See Blocking Attacks with a 
Firewall, for more details on the additional layers 
of protection you can expect.) 


Why Your Router Should Be UPnP- 
Compatible 


When you go shopping for a router or 
residential gateway, you'll encounter a 
wide variety of options, from simple 
one-port routers to pricey devices that 
incorporate software firewalls and 
virtual private network (VPN) 
technology. For any router that you 
intend to use with computers running 
Windows XP, we recommend that you 
study the specifications carefully and 
make certain it supports the Universal 
Plug and Play (UPnP) standard. The 
first generation of UPnP routers 
(including firmware upgrades to add 
UPnP support to older routers) hit the 
streets in early 2002. Many hardware 
makers have been deliberately 
cautious about introducing this 
capability, especially after the 
announcement of a serious security 
problem with UPnP in the initial 


release of Windows XP. Linksys 
(http://www.linksys.com) and D-Link 
(http://www.dlink.com) were among 
the first companies to release UPnP- 
compatible routers. By the time you 
read this, other manufacturers will no 
doubt have followed suit. 


A router that supports UPnP can offer 
a variety of features designed to 
streamline administrative tasks. With 
UPnP, for instance, other computers 
on the network can automatically 
sense that the router is available and 
configure their Internet connections 
without any effort on your part. 
Administrators can also use UPnP 
features to configure and manage the 
router without having to 
remeG15tnmber specific IP addresses 
or load custom software. 


The most important benefit of UPnP, 
however, is its support for NAT 
traversal. With a router or residential 
gateway that doesn’t support UPnP, 
the use of private addresses makes it 
impossible for communications 
programs like Remote Assistance to 
establish a connection. Likewise, the 
use of NAT makes it impossible for 
Windows Messenger users to 
communicate using audio or video 
features. With UPnP, the router 
understands how to work seamlessly 
with private network addresses and 
can maintain these connections 


properly. 


If you have an older router that 
doesn’t work properly with these types 
of applications, you may want to 
replace it with a newer, UPnP- 
compatible device. Before you go to 
that trouble, though, be sure to check 
with the hardware manufacturer. You 
may be pleasantly surprised to find 
that UPnP features are available with a 
simple firmware upgrade. 


Configuring a Router or Residential 
Gateway 


Connecting a router to your network isn't a 
particularly difficult task. First plug your cable or 
DSL modem into the WAN port on the router; 
then plug the hub or switch that connects 
computers on your local network into the LAN 
port on the router. (If your router includes an 
integrated hub or switch, you can plug computers 
on your network directly into the LAN ports on 
the router. ) 


Most routers include a configuration utility, 
typically accessed through a Web-based 
interface. With the popular Linksys BEFSR41 and 
BEFSR81 routers, for instance, you load the 
configuration page shown in Figure 15-5 by 
typing the URL hAttp://192.168.1.1 and entering 
the default password, admin. 


“-Figure 15-5. Most routers, like this Linksys 
model, use a Web-based configuration utility. 


The first step is to establish your Internet 
connection. If you normally acquire an IP address 
automatically through DHCP, choose this option 
for your router. Depending on your ISP, you 
might need to supply a fixed IP address, enter 
the addresses of DNS servers, or both. You might 
also have to perform additional steps, such as 
setting up a PPP Over Ethernet (PPPoE) logon for 
the router or changing the MAC (media access 
control) address of your router so that it matches 
the MAC address of your primary computer. 


Troubleshooting 


You can’t connect to the 
configuration page for your router 


When setting up a router, you need to 
supply its IP address, typically by 
typing it into the Address bar of 
Internet Explorer. If your computer 
and the router have IP addresses on 
different subnets, you'll be unable to 
connect. Your computer should acquire 
an IP address automatically from the 
DHCP server on the router. This option 
will fail if the router’s DHCP 
capabilities have been previously 
disabled, or if another DHCP server is 
running elsewhere on the network. Try 
any of these strategies to solve the 
problem: 


e Disconnect all other 
computers from the 
network, leaving only 
the LAN connection for 
your computer and the 
WAN connection 
enabled. Make sure your 
computer is set to 
acquire an IP address 
automatically and try 
again. 


e Operate the router’s 
reset switch to apply the 
default settings. This 
should enable the DHCP 
capabilities again. 


e If all else fails, assign a 
temporary static IP 
address to your 
computer. Make sure 
this address is on the 


same subnet as the 
router, and specify the 
router’s IP address as 
the gateway. For 
instance, if the router’s 
address is 192.168.1.1, 
assign your computer 
the address 
192.168.1.2, witha 
subnet mask of 
255.255.255.0 anda 
gateway of 192.168.1.1. 


Next set up the router’s internal DHCP server. 
When this feature is enabled, the router responds 
to requests for an IP address from computers on 
your local network. You can typically specify a 
range of private IP addresses. Depending on the 
router, you may be able to map specific IP 
addresses to specific MAC addresses so that each 
computer on your network always receives the 
same IP address when connecting to the 
network. 


Finally, close the configuration utility and 
configure each computer on the network to 
acquire an IP address automatically. (For 
computers running Windows XP, you should use 
the Network Setup Wizard for this task.) After 
confirming that the router is doing its job, you 
can set up advanced features, such as packet 
filtering and port forwarding. 


Bypass ISP restrictions on servers 


Some routers allow you to create 
virtual servers inside your network, 
passing specific ports through the 
router to a designated IP address. This 


capability can be a useful (but 
potentially dangerous) way to get 
around the blocks that many Internet 
service providers place on Web and 
FTP servers. You might want to run a 
personal Web server on which you can 
share photos with other family 
members, but access from the outside 
will fail if your ISP blocks port 80, the 
standard port used by Web servers. 
The solution is to configure the Web 
server to use a port that isn’t blocked, 
such as 8080, and then use the 
router’s port-forwarding features to 
pass all outside traffic on port 8080 
directly to the IP address of the 
computer running the Web server. 
Anyone making a connection to the 
server will need to specify the public 
IP address of the router, followed by a 
colon and the port number. If you 
choose this option, be certain that you 
update the Web server software 
regularly with the latest security 
patches. And don’t try to use this 
“under the radar” capability for a high- 
volume Web site unless you’re 
prepared for a confrontation with your 
ISP. 


Tightening Security on a Router 


Adding a router to your network isn’t a panacea. 
Simple NAT and packet-filtering capabilities can 
provide a baseline level of security for your 
network, but don’t underestimate the 
resourcefulness and tenacity of outside attackers. 
A determined intruder who figures out that you’re 
using a specific type of router can craft an attack 
against the router and may succeed if you aren’t 
thorough in your preparation. To increase the 
security of the network, follow these tips: 


e Set a strong password for the 
router. Out of the box, every 
router uses a simple default 
password, and you can bet that 
every one of those default 
passwords is on a list that would-be 
attackers try right away. 


e Disable remote administration 
capabilities. Many routers allow 
you to connect to the router’s 
configuration utility from inside 
your local network or from the 
outside. To block a major avenue of 
attack, disable the capability to 
manage the router from the 
Internet. 


e Configure how the router 
responds to unsolicited outside 
traffic. If you’re running a server 
inside your network, forwarding 
specific ports to the IP address of 
the computer running the server 
software, you need to allow outside 


access to the computer. But you 
should disable all other unsolicited 
outside traffic. In particular, if you 
can configure the router to discard 
Internet Control Message Protocol 
(ICMP) packets from the Internet, 
you should do so. This step 
prevents outsiders from “pinging” 
your network and determining that 
the IP address exists. It also 
prevents an entire class of attacks 
that use malformed ICMP packets 
to cause havoc to the network. 


Enable firewall or antivirus 
features, if available. Some 
routers integrate with specific 
antivirus and personal firewall 
programs. Linksys routers, for 
instance, work with the ZoneAlarm 
Pro personal firewall and Trend 
Micro’s PC-Cillin antivirus software. 
Using this capability, you can 
enforce a security policy that allows 
Internet access through the router 
only to computers that are running 
either or both of these programs. 
Figure 15-6 shows the configuration 
options for this feature on an 8-port 
Linksys router. (Note that in this 
example the software does not run 
on the router itself, only on the 
client computers. Hardware 
firewalls that include built-in 
antivirus software are available, but 
they typically cost far more than a 
router intended for use on a home 
or small business network.) 
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Figure 15-6. Some routers for 
home networks, like this 
Linksys model, allow you to 
enforce security policies 
requiring antivirus or personal 
firewall software. 


e Carefully configure advanced 
firewall options. Every router is 
different. Depending on the specific 
capabilities of your router, you may 
be able to block specific incoming 
ports or block access to particular 
ports by time of day. The latter 
capability can be especially useful if 
you want to prevent kids from 
browsing the Web after 10:00 PM, 
for instance. 


Many routers include an option to 
place one or more computers on the 
local network in a DMZ—an acronym 
from the military term demilitarized 
zone. Putting a computer in this zone 
bypasses the router, giving it direct 
access to the Internet. Using this 
option may be the only way to make 
some types of connections, such as 
those used in multiplayer games. Just 
be aware that bypassing the router 
also gives outsiders unfiltered access 
to the computer in the DMZ. If you 
must use this option, we recommend 
enabling it only when you need it, and 
removing the local computer from the 
DMZ when it’s no longer required. 


Sharing an Internet Connection 
Through Software 


You don’t have to invest in a dedicated router or 
residential gateway to share a single Internet 
connection and simultaneously protect your 
network. Using Internet Connection Sharing, you 
can turn a single computer with an active 
Internet connection into the functional equivalent 
of a router. The connected computer acts as the 
ICS host and shares its Internet connection. All 
other computers on the network route their 
Internet traffic through the ICS host computer. 


ICS is most effective with high-speed (cable or 
DSL) connections, although it works acceptably 
with dial-up Internet connections. To share a 
broadband connection, the ICS host computer 
must have separate network adapters for the 
Internet connection and the LAN connection. The 
single biggest drawback of ICS, of course, is that 
the shared connection is available only if the ICS 
host computer is turned on. 


Although ICS is included as a feature in Windows 
98 Second Edition, Windows Me, and Windows 
2000, we strongly recommend that you use a 
computer running Windows XP (Home Edition or 
Professional) as your ICS host. The security and 
usability features of this version of ICS are head 
and shoulders above those found in earlier 
versions of Windows. Most notably, the Internet 
Connection Firewall, found only in Windows XP, is 
tightly integrated with ICS and adds a measure of 
security that is unmatched in earlier versions. 


The Network Setup Wizard, which runs 
from CD or floppy disk to set up ICS 
on client computers, does not work 


with Windows 95 or Windows 3.1. If 
computers running either of these 
operating systems are present on your 
network, you must configure the 
networking components manually to 
take advantage of an ICS host. 


Do not use ICS on any network that includes a 
Windows 2000 Server (or Windows .NET Server) 
domain controller or any other computers running 
a DNS server, DHCP server, or Internet gateway. 
In addition, if any computers on the network are 
configured with static IP addresses, you may 
need to reconfigure them to be in the private 
address range that is automatically assigned by 
ICS. 


Using ICS does not expose your computer to any 
security risks different from those that you should 
be concerned about on a computer that is directly 
connected to the Internet. If you’re using the 
original release of Windows XP, however, be 
certain you install the security patches referred to 
in two Microsoft Security Bulletins: MS01-54, 
“Invalid Universal Plug and Play Request can 
Disrupt System Operation” 

(http://www. microsoft.com/technet/security/bull 
etin/MS01-054.asp) and MS01-059, “Unchecked 
Buffer in Universal Plug and Play can Lead to 
System Compromise” 

(http://www. microsoft.com/technet/security/bull 
etin/MS01-059.asp). These patches, which are 
also included in Windows XP Service Pack 1, fix 
serious security holes that could allow an attacker 
to exploit a weakness in the Universal Plug and 
Play service and shut down your computer or 
install a Trojan horse program. Note that any 
client machines that were set up on ICS by using 
this early release of Windows XP will also need to 


be patched; see the referenced bulletins for 
access to those patches. 


Setting Up Internet Connection Sharing 
in Windows XP 


To configure ICS, use the Network Setup Wizard. 
(The procedure is identical for Windows XP Home 
Edition and Professional, and you must be logged 
on as an administrator to perform this task.) Run 
the wizard on the ICS host first, and then do so 
on each network computer where you plan to use 
the shared connection. If any computers on the 
LAN are running different versions of Windows, 
you can use the Windows XP CD to set up the 
client computers. If the CD is not available, take 
advantage of the option in the wizard’s final step, 
which creates a setup floppy disk you can use 
with any 32-bit version of Windows. 


#-Setting up ICS in Windows XP makes the 
following changes to your network configuration: 


e The shared connection on the ICS 
host acquires an IP address from 
the Internet service provider. 


The wizard enables the Internet 
Connection Firewall on the shared 
connection. 


e The connection to the local network 
from the ICS host uses the static IP 
address 192.168.0.1, configured 
with a subnet mask of 
255.255.255.0. 


e The Internet Connection Sharing 
service runs automatically on the 
ICS host. 


e A DHCP allocator on the ICS host 
automatically assigns IP addresses 


to other computers on the network. 
The default range is from 
192.168.0.2 to 192.168.0.254, with 
a subnet mask of 255.255.255.0. A 
DNS proxy on the ICS host 
eliminates the need to specify DNS 
servers on other computers on the 
network. 


e Autodial is enabled on the ICS host. 


Troubleshooting 


Your shared Internet connection 
isn’t working. 


Any of the following circumstances can 
prevent ICS from working properly: 


e The Internet 
Connection Sharing 
service is not running. 
From Control Panel, 
open the Administrative 
Tools folder, double-click 
the Services icon, and 
then check to see that 
the Status column 
alongside the Internet 
Connection Firewall 
(ICF) / Internet 
Connection Sharing 
(ICS) service reads 
Started. If necessary, 
right-click the service 
entry and choose Start 
or Restart from the 
shortcut menu. 


e The wrong network 
adapter is shared. Run 
through the Network 
Setup Wizard again and 
confirm that you’ve 
selected the correct 
adapters. 


e The settings on other 
network computers 
are incorrect. 
Computers running 
Windows 98, Windows 
Me, Windows 2000, or 
Windows XP should be 
able to connect to the 
Internet through an ICS 
host, when configured to 
obtain an IP address 
automatically and obtain 
DNS servers 
automatically. Leave the 
default gateway field 
blank. If necessary, 
rerun the Network Setup 
Wizard on the other 
computers. (The wizard 
will not run on Windows 
95 or Windows 3.1 or on 
computers running other 
operating systems. In 
this case, you must 
manually specify that 
the computer is to 
acquire its IP address 
via DHCP, set the 
gateway to 192.168.0.1, 
and leave the DNS 
server settings blank.) 
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After completing the initial, automated 
configuration, you can manage the shared 
connection from the Network Connections folder 
on the ICS host. Right-click the icon for the 
shared connection and choose Properties, then 
click the Advanced tab. Use the resulting dialog 
box, shown in Figure 15-7, to enable or disable 
the connection and to control whether users at 
other computers on the network can enable or 
disable the connection. 


“-Figure 15-7. Clear the check box at the 
bottom of this dialog box to prevent other 
network users from disabling Internet 
access. 


Giving other network users the capability to turn 
Internet access on or off is most useful when you 
have a dial-up connection where you pay for each 
minute you’re connected. However, you can also 
use this capability as a rudimentary security 
function or to regulate Internet access (on a 
home network, for instance). Clear the Allow 
Other Users To Control Or Disable The Shared 
Internet Connection check box if you want to 
maintain complete control over Internet access; 
with this option enabled, you can disable the 
Internet connection whenever you want. Other 
users will need to log on to your computer (the 
ICS host) locally, using an account with 
administrative rights, or ask your permission to 
re-enable the Internet connection. 


Get easy access to network 
connections 


If you frequently access the Properties 
dialog box for a network connection, 
shared or otherwise, you'll quickly tire 


of drilling through dialog boxes to get 
to it. Instead, create a shortcut on the 
Start menu, the Quick Launch bar, or 
the desktop. From the Network 
Connections folder, right-click the 
network icon and choose Create 
Shortcut. A dialog box warns you that 
you can’t create a shortcut in this 
folder and asks if you want to create it 
on the desktop instead. Click Yes to 
create the shortcut, and then move it 
to your preferred location. 


When you open the Network Connections folder 
on a computer that gets its Internet access from 
an ICS host, you see an Internet Gateway icon 
similar to the one shown in Figure 15-8. 


“-Figure 15-8. The Internet Gateway icon 
appears only when you're connected to a 
network with an active ICS host. 


Double-clicking this icon displays the status 
dialog box shown in Figure 15-9. 


“-Figure 15-9. Use the two buttons at the 
bottom of this dialog box to manage a shared 
Internet connection remotely. 


Click the Disable button to shut down Internet 
access immediately. (You must be an 
administrator to perform this action.) When the 
connection is shut down, the label for this button 
switches to Enable; click the button to restart the 
connection. Use the Properties button to manage 
settings for the Internet Connection Firewall on 
the ICS host. This dialog box is the same one you 
see if you open the properties dialog box for the 
connection and click the Settings button on the 
Advanced tab. 


Setting Up Internet Connection Sharing 
in Windows 2000 Professional 


If at least one computer on your network runs 
Windows 2000 Professional and you don’t have 
any Windows XP installations to choose from, you 
can set up Internet Connection Sharing on that 
computer instead. The basic operation of ICS in 
Windows 2000 is the same as in Windows XP, 
with the following exceptions: 


e No wizard is available to help you 
set up the connection. All 
configuration options are set 
manually on the ICS host and on 
local computers. 


e Windows 2000 does not include a 
firewall, so your shared Internet 
connection is vulnerable to outside 
intruders unless you install a third- 
party firewall program. 


e Network users cannot control 
access to the shared connection. 


To enable ICS, you must have two separate 
network connections, one for the Internet, and 
the other for LAN access. Open the Network And 
Dial-Up Connections folder, right-click the icon for 
the Internet connection, and then choose 
Properties. On the Sharing tab, select the Enable 
Internet Connection Sharing For This Connection 
check box. Click OK to close the dialog box. The 
Internet connection acquires an IP address using 
the current settings; your LAN connection is reset 
to a static IP address of 192.168.0.1 and subnet 
mask of 255.255.255.0; and the DHCP allocator 


assigns addresses in the range 192.168.0.2 to 
192.168.0.254. 


If you gain Internet access through a dial-up 
modem, you'll find the Sharing tab on the 
Properties dialog box for the dial-up connection, 
as shown here. Note the extra check box that 
allows you to enable on-demand dialing. 


“On a network with a Windows 2000 ICS host, 
you must configure client computers manually. 
Specify that the computer is to acquire its IP 
address automatically via DHCP, set the gateway 
to 192.168.0.1, and leave the DNS server 
settings blank. 


Chapter 16 


Wireless Networking and 
Remote Access 


Wireless networks were once an expensive, 
esoteric choice, used only in specialized business 
applications where their benefits outweighed their 
tremendous cost and complexity. In recent years, 
however, the price of wireless networking 
hardware has plummeted to very affordable 
levels. Setting up a wireless network no longer 
takes an advanced engineering degree, either—if 
you use Windows XP, wireless adapters literally 
configure themselves, and the task of setting up 
a cable-free network usually takes only a few 
minutes. 


The benefits of wireless networking are practically 
irresistible. Using a lightweight notebook 
computer equipped with an inexpensive wireless 
LAN adapter, you can browse the Web and access 
shared files and printers from anywhere within 
radio range of your wireless access point. At 
home, you can use your computer on the couch, 
on the back porch, or while lying in bed. In the 
office, you can bring your computer to a 
conference room and still have access to 
information on your company’s intranet or on the 
Web, and you can e-mail the minutes of the 
meeting the minute it’s over. 


Unfortunately, all that convenience comes at the 
expense of serious security trade-offs. If you can 
connect to your network from a distance, so can 
anyone with a computer, a wireless adapter, and 
a little determination. Although you can 
implement some simple security measures, the 
most popular wireless standard includes some 


gaping security holes that demand your 
attention. 


In this chapter, we explain what you should and 
shouldn’t do with a wireless connection. We also 
explain how to allow remote access to your 
Windows network without compromising security. 
As it turns out, the most secure form of remote 
access—the virtual private network, or VPN— 
makes an excellent addition to wireless networks 
as well! 


Security Checklist 


If you have a wireless network, follow 
these steps to safeguard your shared 
resources. 


e Configure your wireless 
access point with a 
strong password. 


e Consider disabling 
remote administration of 
the access point; if you 
need to change settings, 
you can do so directly, 
using the Ethernet 
connection or a cable. 


e Upgrade the firmware of 
your wireless hardware 
to the most recent 
versions, which may 
incorporate security 
fixes. 


e Change the network 
name (SSID) of your 
access point to one that 
doesn’t match the 


hardware defaults and 
doesn’t give away any 
information about you or 
your business. 


Use MAC access control, 
if it’s available. 


Turn on Wired Equivalent 
Privacy (WEP) and set 
strong keys. 


Change your WEP keys 
at least monthly and 
preferably weekly. 


Scan your wireless 
network to determine 
whether you are 
vulnerable to attack 
from widely used 
hacking tools. 


Consider using virtual 
private networks for 
wireless connections. 


The Risks of Wireless 
Networking 


To understand the security problems inherent in 
wireless networking, you first need to understand 
the basic architecture of a wireless network. 
Today, most popular wireless networks use the 
IEEE 802.11 standard, adopted in 1997. 
Variations of this standard include the widely 
used IEEE 802.11b (also known as Wireless 
Ethernet, or Wi-Fi), which transmits data at a 
maximum speed of 11 Mbps, roughly the same 
speed as a conventional wired Ethernet 
connection. A pair of emerging standards called 
802.11a and 802.11g use the same underlying 
technology as Wi-Fi to transfer data at speeds of 
up to 54 Mbps. (For an explanation of the 
differences between the various components of 
the 802.11 standard, see the sidebar “802-Point- 
Whatever: Decoding Wireless Standards.”) 


All the 802.11 standards define mechanisms by 
which network data literally floats through the air, 
using radio frequencies in the 2.4 GHz range. 
Network adapters with small antennas—typically 
installed in a PC Card slot on a notebook 
computer, or attached to a USB port on a desktop 
computer—transmit and receive data to 
communicate with the rest of the network. The 
most common wireless network configurations 
include a hardware device called a wireless 
access point, which incorporates its own 
transmitter/receiver and connects directly to the 
Internet or to a network hub or switch, often 
acting as a bridge between wireless and wired 
networks. Strictly speaking, an access point isn’t 
required; small networks can get by using “ad 
hoc mode,” in which network adapters 


communicate directly with one another in a peer- 
to-peer setup. 


Because wireless networking uses radio 
frequencies, anyone who has a computer 
equipped with a wireless adapter and is within 
the effective range of the access point or an 
individual wireless adapter can attempt to 
connect to the network. With a modest 
investment in hardware and little or no technical 
skills, an outsider can compromise the security of 
your network in any of the following ways: 


Theft of service. Even if an intruder can’t break 
into individual computers on your network, he 
may be able to access the Internet using your 
connection. The result could degrade the quality 
of your Internet service. This risk is especially 
noticeable in high-density areas such as 
apartment buildings, where any of your neighbors 
with a wireless network adapter may be within 
the effective range of your access point. 


Denial of service. An intruder who is unable to 
connect to your network can still cause some 
degree of havoc by flooding the network with 
connection requests. With enough persistence, an 
attacker could completely deny legitimate users 
access to the network. 


Theft or destruction of data. Outsiders who 
successfully connect to your network can browse 
shared folders and printers. Depending on the 
permissions assigned to these resources, they 
can change, rename, or delete existing files, or 
add new ones. 


Network takeover. An intruder who manages to 
log on to the network and exploit an unpatched 
vulnerability can install a Trojan horse program or 
tamper with permissions, potentially exposing 


computers on the LAN to attacks from over the 
Internet. 


Don’t skimp on protection 


You’ve followed every 
recommendation in this chapter to 
secure your wireless access point. Can 
you relax now? Not yet. Remember 
that wireless networks can operate in 
“ad hoc” mode, where the adapter on 


each computer serves as an access 
point. An attacker who can’t get to the 
access point can still target an 
individual computer and break in to 
the network. To protect yourself, make 
sure you've installed personal firewall 
software on every computer that 
contains a wireless adapter. 


Out of the box, wireless networks are designed to 
be easy, not secure. Properly protecting a 
wireless network requires considerable extra 
effort. If you work in a large organization, with 
access to a Windows domain, multiple firewalls, 
virtual private networks, and a server that can 
authenticate computers against a central 
database, you can lock down a wireless network 
impressively. In a home or small network, 
however, your options are considerably more 
limited. 


802-Point-Whatever: Decoding 
Wireless Standards 


Working Group 802.11 of the Institute 
of Electrical and Electronic Engineers 
is responsible for all wireless network 
specifications. That’s a big job, it turns 
out—so big that the group has split 


into a number of smaller groups to 
tackle individual parts of the job. The 
result is a host of standards, all in 
varying degrees of completion and 
with confusing names that sound 
almost alike. Here are explanations of 
those that are most likely to impact 
your security planning for a wireless 
network. 


e 802.11b, also known as 
Wi-Fi, is the current 
leader in wireless 
networking technology. 
It uses the 2.4 GHz 
frequency to send and 
receive data ata 
maximum rate of 11 
Mbps. 


e 802.114a uses hardware 
that looks similar to its 
802.11b cousins; 
however, it broadcasts in 
a different frequency 
range, 5 GHz, and can 
reach maximum speeds 
of 54 Mbps, roughly five 
times faster than Wi-Fi. 


e 802.11g is an 
alternative to the 
802.11a standard that 
can also blast data 
across the network at 54 
Mbps. Because this 
hardware uses the same 
2.4 GHz frequency range 
as Wi-Fi adapters, 


manufacturers are more 
likely to make devices 
that support both 
standards, easing the 
transition for people who 
already have a 
substantial amount of 
Wi-Fi hardware and 
don’t want to throw 
away that investment. 


802.1x provides a 
mechanism for 
authenticating 
computers that connect 
to a wireless access 
point, typically through a 
Remote Authentication 
Dial-In User Service 
(RADIUS) server. This 
emerging standard is 
impractical for small 
networks but is ideal for 
large organizations that 
already have one or 
more authentication 
servers. (And no, the 
name is nota 
typographical error— 
because this standard 
applies to conventional 
wired networks as well 
as wireless, it contains 
only a single 1 in its 
name.) 


802.111 is the successor 
to Wired Equivalent 
Privacy (WEP), the 


authentication system 
built into the Wi-Fi 
standard that turned out 
to be unacceptably easy 
to crack. When this 
standard is finalized, it 
will probably incorporate 
a technique called 
Temporal Key Integrity 
Protocol (TKIP). 


Other task groups are working on 
aspects of wireless technology that 
affect quality of service (802.11e), 
communications between access 
points (802.11f), and spectrum- 
managed high-speed networking 
(802.11h). 


A techie humorist once wrote, “The 
best thing about standards is that 
there’s so many of them.” That’s 
certainly true with wireless 
networking. Because different portions 
of the 802.11 standards are in 
different stages of development, you 
may find products that are missing 
some technologies found in newer 
devices, and you may find other 
hardware makers that jump the gun, 
introducing technologies based on 
draft standards rather than the final 
version. For the latest technical 
details, you can read the sometimes 
dense and dry commentary at the 
official site of the 802.11 working 
group, http://www.ieee802.org/11. 
For a more readable summary, try the 
Web site run by the Wireless Ethernet 


Compatibility Alliance, at 
http://www. wi-fi.org. 


Controlling Connections to a 
Wireless Access Point 


Your first line of defense in securing a wireless 
network is to make it more difficult for outsiders 
to connect to the network. That’s not an easy 
task. The antenna in a wireless access point can 
broadcast its signal hundreds of feet in any 
direction. That’s bad news if you live in a densely 
populated apartment complex, but even if you 
have no neighbors within range of the access 
point, you could still be vulnerable. An 
enthusiastic community of “drive-by” hackers has 
turned wireless breaking and entering into a 
hobby, devising booster antennas and software 
utilities (with colorful names like AirSnort and 
Network Stumbler) that allow them to sniff out 
the details of unprotected networks as they drive 
through neighborhoods or sit in public areas of an 
office complex. 


Don’t let bad guys reconfigure 
your network 


When you set up your wireless access 
point for the first time, be sure to 
change the default password that 
unlocks the configuration utility. This 
crucial precaution protects the access 
point (and the rest of your network) 
from being reconfigured by an 
outsider. Default passwords are 
notoriously easy to crack; change the 
password to one that’s easy for you to 
remember but difficult for a stranger 
to crack. (If you need some ideas on 
how to create an effective password, 
see Creating Strong Passwords.) If 


your hardware supports disabling 
wireless administration completely, 
consider doing without that feature 
and using a direct connection—via 
Ethernet, USB, or a serial port— 
instead. 


Windows XP in particular makes the process of 
connecting to a wireless LAN extremely easy, 
thanks to a feature called wireless zero 
configuration. Most access points automatically 
broadcast their presence so that client computers 
can connect as soon as they come in range. 
When you connect a wireless network adapter to 
a computer running Windows XP, the operating 
system automatically discovers the nearest 
access point for that network and configures the 
adapter to work with it. That information appears 
in the list of available networks, shown in Figure 
16-1. 


“-Figure 16-1. Windows XP automatically 
discovers available networks and connects to 
them automatically unless you turn on Wired 
Equivalent Privacy (WEP). 


The network name shown in the Available 
Networks list is also called the Service Set 
Identifier, or SSID. In this example, which shows 
the SSID of an Agere Systems (formerly Lucent) 
RG-1000 Residential Gateway, the SSID is 
configured automatically using half of the built-in 
adapter’s MAC address. Some manufacturers use 
default names for the SSID instead; in this case, 
a would-be intruder who knows the default name 
could connect to the access point without any 
additional work. In fact, if you live in an 
apartment building with thin walls and your next- 
door neighbor uses the same hardware as you, 


it’s conceivable that one or both of you could 
inadvertently connect to the wrong network! 


You can take any or all of the following three 
measures to prevent someone from discovering 
the SSID of your network and trying to connect 
to it: 


e Choose a new network name. 
This is a good idea if your hardware 
automatically assigns a default 
name that is identical to those used 
by other people with the same 
hardware. Whatever you do, don’t 
use a name that identifies yourself 
or your business. That bit of 
information can encourage drive-by 
hackers to probe more deeply than 
if you just use a random 
alphanumeric string. 


e Don’t broadcast your network 
name. If your hardware includes 
an option to set up the network as 
a “closed” system, as the Agere 
Systems RG-1100 does, consider 
enabling this option. Anyone who 
wants to connect to the network 
will need to supply the network 
name manually rather than having 
it filled in automatically by the 
wireless hardware and Windows XP; 
this precaution also frustrates 
wireless scanning utilities like Net 
Stumbler, which are unable to 
automatically discover the network 
name when you use this 
configuration. 


e Use MAC addresses to limit 
access. Not all access points 
include this option, which allows 
you to specify that the only wireless 
adapters allowed to connect to your 
access point are those with MAC 
addresses on a list you enter. If 
your network is small, you can 
easily manage the list manually. For 
networks that have more than five 
wireless computers or that guests 
regularly visit, the administrative 
burden is unacceptable. Of course, 
a skilled hacker can spoof a MAC 
address and bypass this setting, 
but it can still be a useful barrier to 
Casual snoops. 


If you have access to an enterprise-strength 
authentication server, you can configure your 
network so that all connection requests are 
forced to authenticate through that server. This 
option uses the 802.1x standard and Extensible 
Authentication Protocol (EAP). In the enterprise 
market, you can choose from a variety of EAP 
types, most of which use either a certificate or a 
password to authenticate the wireless client at 
the access point. Used with a RADIUS server and 
a physical device such as a smart card, this 
option can be extremely secure. 


Support for 802.1x authentication is built into 
Windows XP. To access these settings, open the 
properties dialog box for the wireless connection 
and choose the Authentication tab. Figure 16-2 
shows the default settings. 


“-Figure 16-2. If your network includes an 
authentication server, you can greatly 
increase the security of a wireless network. 


If your network serves a home or small business, 
you should not tamper with these default 
settings. Windows XP enables authentication by 
default, but this setting is used only when a 
suitable server is available. If your authentication 
server uses an MD5 challenge rather than a 
certificate, it is vulnerable to brute force attacks 
from over the network. 


Encrypting Wireless 
Transmissions 


After getting these configuration steps out of the 
way, you're ready to tackle the most controversial 
security feature on a wireless network—turning 
on Wired Equivalent Privacy (WEP). In the 
original 802.11b standard, WEP was defined as 
an optional standard intended to make wireless 
networks as secure as wired networks. It works 
by encrypting data transmissions between the 
mobile clients (a notebook computer with a 
wireless LAN adapter, for instance) and the 
access point. Most hardware that uses WEP 
employs a single shared key that is used by all 
parts of the network. A flaw in the standard 
allows this key to be easily sniffed out by remote 
attackers, making off-the-shelf implementations 
of WEP insecure. 


On many wireless products sold for use on home 
networks, WEP encryption is optional. On others 
(including the Agere Systems Orinoco line), it’s 
enabled by default, with the affordable Silver 
series using relatively weak 40-bit encryption 
(with a key made up of five 8-bit characters) and 
the more expensive Gold series using 104-bit 
encryption (using a 13-character key). If you use 
802.11b hardware, we recommend that you 
enable WEP as a first line of security and upgrade 
its protection level to 104 bits. Because of the 
documented flaws in WEP, some security experts 
recommend disabling it altogether. We think that 
advice is short-sighted. Although WEP doesn’t 
provide absolute protection against a determined 
attacker and must be supplemented with other 
security techniques, enabling this option can go a 
long way toward stopping amateur hackers and 


locking out nosy neighbors. In addition, some 
hardware vendors have addressed some of the 
security flaws in the original WEP standard. You 
may need to update the firmware in your access 
point and wireless LAN adapters to incorporate 
these improvements. 


Why does WEP use odd key sizes of 40 
and 104 bits? The actual key sent for 
authentication includes a 24-bit 


initialization vector combined with the 
shared key. The result is a key that 
consists of either 64 bits (40+24) or 


To enable WEP on your access point, you must 
use the hardware configuration utility—Windows 
does not include any tools for configuring access 
points. If your hardware includes an option to 
upgrade from 40-bit to 104-bit encryption, take 
advantage of it. Write down the shared key and 
carefully note other settings on your access point. 


After enabling WEP on a computer running 
Windows 2000, you must use the client software 
to supply the shared key. If you use Windows XP, 
the operating system handles this task without 
requiring any extra software and should prompt 
you for this key the first time you connect to a 
WEP-enabled network. To enter the key manually, 
follow these steps (note that we assume you 
have only one access point on a small network): 


1. Open the Network Connections 
folder, right-click the icon for the 
wireless adapter, and choose 
Properties. If automatic discovery is 
on, the network name for your 
access point should appear in the 


Available Networks list and in the 
Preferred Networks list. 


2: Select the entry in the Preferred 
Networks list and choose 
Properties. If you’ve disabled 
automatic discovery on your access 
point, click the Add button. 


. In the Wireless Network Properties 
dialog box, shown in Figure 16-3, 
adjust the settings as shown here. 


“-Figure 16-3. To increase 
security on your wireless 
network, adjust the settings as 
shown here. Do this after 
configuring your access point. 


e If necessary, fill in the 
Network Name 
(SSID) box. This field 
is automatically filled 
in and unavailable for 
selection if automatic 
discovery is enabled 
on the access point. 


Select Data 
Encryption (WEP 
Enabled). This setting 
encrypts data 
transmissions on the 
network. 


Select Network 
Authentication 
(Shared Mode). This 
setting requires the 
correct key before 


authenticating a 
computer. 


Choose the Key 
Length (40 or 104 
bits) and Key Format 
(ASCII or 
Hexidecimal) to 
match the settings 
from your access 
point. 


Fill in the Network 
Key field using the 
same key you set on 
the access point. 


Clear the check box 
for The Key Is 
Selected For Me 
Automatically. This 
setting is used when 
the key is stored in 
memory on the 
wireless adapter. 


4. Click OK to close the dialog box and 
save your settings. 


Because of the documented weaknesses in WEP 
encryption, security experts recommend that you 
change the WEP keys at regular intervals, at least 
once a month. Although this process is tedious, 
it's a necessary precaution on any wireless 
network that is not compatible with the 802.11i 
authentication standard. 


Try this low-tech security solution 


The power switch on your wireless 
access point is an amazingly effective 
security device. If most of your 
network consists of wired computers, 
and you use wireless features only 
occasionally, you can reduce the risk 
of outside intrusions by turning off the 
access point when you don’t need to 
use it. On a business network that 
operates only during the day, consider 
putting the access point on a timer 
that automatically shuts down shortly 
after closing time and starts again in 
the morning. This low-tech solution is 
excellent insurance against would-be 
intruders who might be tempted to try 
to break in at night, when you're not 
likely to notice the unwanted traffic. 


Extra Security for Wireless 
Networks 


On small networks, the measures we outline in 
this chapter should be sufficient to protect you 
from the most common forms of outside attacks 
aimed at your wireless network. Of course, that 
assumes that you’ve protected the rest of your 
network using the precautions we outline 
elsewhere in this book: implementing a sensible 
security policy, using strong passwords, limiting 
the use of administrator accounts, and carefully 
setting access to shared resources. 


In businesses where the value of information 
stored on the network is high, you may need to 
implement additional precautions to safeguard a 
wireless network. Most of these steps involve 
investments in software and hardware that 
significantly increase the cost and complexity of 
your network. If your business routinely handles 
data that is extremely sensitive and is subject to 
legal restrictions on its storage (such as patient 
records in a medical office, or client 
correspondence in a law office), you should 
thoroughly investigate the security of wireless 
network equipment before purchasing and 
implementing it. The investment required to 
safeguard the data may be prohibitive. 


A detailed discussion of these options is outside 
the scope of this book; we list the following 
options to give you an idea of what you should 
consider when setting up a wireless network in a 
sensitive environment: 


e Avoid connecting the wireless 
LAN to the wired LAN. The 


wireless access point should 
connect to a router on a separate 
network or a firewalled interface. 


Use virtual private networks for 
all wireless connections. In this 
configuration, the access point 
connects to the rest of the network 
through the server acting as the 
VPN gateway. Outside intruders 
may be able to reach the access 
point, but they won't be able to 
transmit or receive data without 
authenticating against the VPN 
server. (The following section 
describes how to set up a VPN 
server on a computer running 
Windows XP or Windows 2000 
Professional. ) 


Use a scanning tool to test your 
wireless LAN for vulnerability. 
The same tools that hackers use to 
break into wireless networks are 
freely available for download on the 
Internet. If you administer a 
wireless network, download a copy 
of AirSnort from 
http://airsnort.shmoo.com. You'll 
find Network Stumbler at 
http://www.netstumbler.com. Both 
programs are well documented and 
easy to use—if you can figure them 
out, so can a world full of unsavory 
characters. 


Check audit logs regularly. Set 
up the Security log to monitor 
connections to your network and 


review it regularly. Be on the 
lookout for account logon events 
(connections made over the 
network) that don’t match the 
normal behavior of users on your 
network. You'll find details on how 
to set up this sort of monitoring in 
Auditing Security Events 


Remote Access Do’s and Don'ts 


Throughout this book, we emphasize techniques 
for keeping other people out of your computer 
and your network. But on some occasions, you 
want to allow carefully controlled connections to 
resources on your network. For home and small 
business networks, where you need only a single 
incoming connection at any time, Windows XP 
and Windows 2000 have everything you need 
built in. 


Setting Up a Virtual Private Network 


A virtual private network (VPN) is a secure means 
of connecting to a private network (such as your 
home or office network) via a public network 
(typically the Internet). Using a VPN, you can 
access all your network resources just as if you 
were connected directly to the network, and you 
can do so from any location where you can make 
an Internet connection. 


VPNs work by tunneling between two computers 
(or two networks) that are each connected to the 
Internet. Tunneling protocols travel across the 
public network using standard protocols, but each 
IP packet or frame (depending on the protocol) is 
encrypted and then wrapped inside another 
packet or frame with header information that 
allows it to travel from point to point. When the 
new packet or frame reaches its destination, the 
VPN software strips off the header, decrypts the 
original data, and routes it to its ultimate 
destination. If you were to send the original data 
“in the clear” over the Internet, anyone who 
intercepted the packets could read the content. 
In a VPN, however, the data is encrypted before it 
enters the public network and decrypted only 
after it’s safely behind the firewall at its 
destination; thus, anyone who intercepts the 
packets will see only encrypted data that looks 
like gibberish. 


Tunneling protocols form the basis of VPNs. 
Although Windows supports a variety of protocols 
used by legacy hardware devices, three tunneling 
protocols are in wide use today: 


e Point-to-Point Tunneling 
Protocol (PPTP). PPTP allows IP, 


IPX, or NetBEUI frames to be 
encrypted and then wrapped in an 
IP header to be sent across an 
intervening network. 


e Layer 2 Tunneling Protocol 
(L2TP). L2TP allows IP, IPX, or 
NetBEUI frames to be encrypted 
and then sent over any IP, X.25, 
Frame Relay, or ATM intervening 
network. 


e IP Security (IPSec) Tunnel 
Mode. IPSec Tunnel Mode allows IP 
packets to be encrypted and then 
encapsulated in an IP header to be 
sent across an intervening network. 
IPSec is often coupled with L2TP for 
purposes of encryption (because 
L2TP doesn’t support data 
encryption). 


Windows XP and Windows 2000 use PPTP or L2TP 
for tunnel connections. Only Windows 2000 
Server or Windows .NET Server can act as a VPN 
server using L2TP. Windows XP and Windows 
2000 Professional can, however, connect to a VPN 
server using L2TP. Windows XP and Windows 
2000 can use IPSec to enhance the security of all 
network interactions. 


With minimal effort, you can set up your 
computer as a remote access server, allowing 
anyone with the proper credentials (yourself 
included) to connect to it by way of a VPN. After 
successfully authenticating to the VPN, you can 
access shared folders on local drives and also 
browse the network and access shared resources 
elsewhere on the network. 


To create or modify incoming 
connections, you must be logged on 


as a member of the Administrators 


The procedure for setting up an incoming VPN 
connection is nearly identical in Windows 2000 
and Windows XP. In the following steps, we 
assume you’re using Windows XP and have noted 
the differences in Windows 2000 where needed: 


1. Open the Network Connections 
folder. (In Windows 2000, this 
folder is called Network And Dial-Up 
Connections. ) 


2. Choose File, New Connection. The 
New Connection Wizard appears. 
(In Windows 2000, it’s called the 
Network Connection Wizard.) If the 
Location Information dialog box 
appears, enter your area code— 
even if your computer doesn’t have 
a modem or you don’t plan to ever 
use the computer to dial a phone 
number. 


3. Click Next to bypass the wizard’s 
opening page. 


4. On the Network Connection Type 
page, select Set Up An Advanced 
Connection. (In Windows 2000, 
select Accept Incoming 
Connections.) Click Next. 


5. On the Advanced Connection 
Options page, select Accept 
Incoming Connections and click 


Next. (This step is not necessary 
for Windows 2000.) 


. If a Devices For Incoming 
Connections page appears, simply 
click Next. (These options are for 
setting up an incoming dial-up 
connection, direct cable connection, 
or infrared connection.) This page 
appears only if your computer has 
an installed modem, serial port, 
parallel port, or IrDA port. 


. On the Incoming Virtual Private 
Network (VPN) Connection page, 
select Allow Virtual Private 
Connections and click Next. (In 
Windows 2000, this page is called 
Incoming Virtual Private 
Connection. ) 


To receive VPN connections over 
the Internet, the IP address of your 
Internet connection must be known 
on the Internet. If your computer is 
directly connected to the Internet, 
use the IP assigned to you by your 
Internet service provider. If you're 
connected through a router or 
residential gateway, remote users 
will specify the IP address of the 
gateway; you'll need to forward the 
VPN port to your computer, as 
described in “Configuring_a Router 
or Residential Gateway.” 


. On the User Permissions page 
(called Allowed Users in Windows 
2000), select the check box next to 
the name of each user you want to 


10. 


allow to make an incoming 
connection. Windows lists all of the 
local user accounts on your 
computer. Use the Add button to 
create a new local account on the 
fly; click Properties to create or 
change a password. 


“When you're finished assigning 
user permissions, click Next. 


. On the Networking Software page 


(called Networking Components in 
Windows 2000), select the check 
box next to the name of each 
network component you want to 
use for an incoming connection. For 
the overwhelming majority of 
users, the default settings, using 
TCP/IP, are correct. Click Next to 
continue. 


Windows 2000 offers you the 
opportunity to give the connection 
a descriptive name; Windows XP 
does not. Click Finish to save your 
new connection. 


After creating the incoming connection, you can 
adjust its settings (including adding or removing 
users from the list of those permitted to make a 
VPN connection) at any time. Open the Network 
Connections folder (Network and Dial-Up 
Connections in Windows 2000), right-click the 
connection icon, and choose Properties. 


Add encryption to VPN 
transmissions 


One change that we strongly 
recommend is to require that all users 
of your incoming VPN connection 
encrypt all transmitted data and 
passwords. (By default, this option is 
turned off on VPN connections.) Right- 
click the icon for your incoming 
connection and choose Properties. 
Click the Users tab and select the 
Require All Users To Secure Their 
Passwords And Data check box. Before 
a user can connect to a VPN with this 
option enabled, he or she must open 
the properties dialog box for the 
outgoing VPN connection, choose the 
Security tab, and select Require Data 
Encryption (Disconnect If None). 


Connecting to a VPN 


After creating your incoming VPN connection, you 
should be able to connect to it from any 
computer running Windows XP or Windows 2000. 
Use the wizard to create a new network 
connection; after bypassing the opening screen, 
follow these steps in Windows XP: 


1. On the Network Connection Type 
page, select Connect To The 
Network At My Workplace and click 
Next. 


2. Choose Virtual Private Network 
Connection. Click Next. 


3. On the Connection Name page, 
enter a descriptive name; this text 
will be used to identify the 
connection in the Network 
Connections folder. Windows XP 
assumes you're connecting to a 
business network; however, you 
can enter any text you want here. 
Click Next. 


4. On the Public Network page, choose 
one of the following two options 
and then Click Next: 


¢ Do Not Dial The 
Initial Connection. 
Select this option if 
the computer on 
which you're creating 
the connection has a 
permanent high- 
speed Internet 


connection, or if you 
always want to 
connect to the 
Internet manually 
before connecting to 
the VPN. 


e Automatically Dial 
This Initial 
Connection. Choose 
this option and select 
a dial-up connection 
icon. This option is 
most appropriate on a 
computer that 
normally connects to 
the Internet using the 
same dial-up 
connection. 


5. On the VPN Server Selection page, 
enter the name or IP address of the 
computer that is accepting 
incoming connections. (For most 
home and small business networks, 
you should enter an IP address 
here.) Click Next. 


6°°Click Finish to save your 
connection. (Note the convenient 
option to create a shortcut to the 
connection on your desktop. If you 
plan to use this VPN connection 
often and want to avoid having to 
burrow into the Network 
Connections folder every time, 
select this check box before clicking 
Finish. ) 


In Windows 2000, the procedure is similar. On 
the Network Connection Type page, choose 
Connect To A Private Network Through The 
Internet, and then follow the same steps outlined 
for Windows XP. 


VPN connections work much like a dial-up 
connection. When you double-click the icon for 
the VPN connection, Windows contacts the 
computer name or IP address (establishing a 
dial-up connection first, if necessary) and sends 
the credentials you enter. If the credentials are 
accepted, you can browse shared resources from 
the My Network Places folder or by entering 
addresses in UNC format. 


Troubleshooting 


You can’t connect to the VPN from 
another computer. 


After you set up a VPN connection on 
another computer, you might not be 
able to connect. This can occur if a 
firewall at either end of the connection 
blocks VPN traffic. 


When you use the New Connection 
Wizard in Windows XP to create an 
incoming VPN connection, the wizard 
automatically configures the built-in 
Internet Connection Firewall 
appropriately. You can confirm that by 
visiting Network Connections, opening 
the properties dialog box for the 
Internet connection, clicking the 
Advanced tab, and clicking Settings. 
You should see entries for Incoming 
Connection VPN (L2TP) and Incoming 
Connection VPN (PPTP), and they 
should both be selected. 


If you use a different firewall— 
software or hardware—you'll need to 
configure it similarly. For PPTP 
connections (the type most commonly 
used with a Windows XP-based VPN), 
you must open port 1723 for TCP 
communication. (L2TP connections, 
which use port 1701, require a 
machine certificate for authentication 
and are available only when the VPN 
server is on a network with Windows 
.NET Server or Windows 2000 Server. 
If you're attempting to connect to a 
server using L2TP, you'll need to enlist 
the help of that network's 
administrator to locate and install a 
compatible certificate so you can make 
a connection.) 


If the firewall on your client computer 
filters outbound traffic as well as 
incoming connections (ZoneAlarm 
behaves this way, for instance), you'll 
need to open port 1723 on that 
computer as well. 


If you’re certain that firewalls at each 
end are not blocking traffic, yet you 
still can’t connect, the problem might 
be in between. Some ISPs block VPN 
traffic or allow it only with certain 
types of accounts. Check with your 
ISP for information about its policies. 


Securing a Dial-Up Connection 


VPNs and high-speed Internet connections were 
made for each other. Setting up a VPN on an 
always-on connection to a cable modem or DSL 
line is quick and easy, and you can count on the 
connection being available as long as you leave 
the computer turned on. However, under some 
circumstances you may not have the option of 
configuring a VPN server that’s reachable over 
the Internet. Your ISP may block traffic on the 
port, or you may use a router that doesn’t permit 
you to forward ports to a computer on your local 
network. 


Even when configuring an incoming VPN 
connection is technically feasible, in fact, you 
may choose not to do so for security reasons. 
Setting up an incoming VPN connection that 
responds to traffic on port 1723 means poking a 
hole in your firewall, and that open port could 
attract the attention of an unauthorized user. You 
may not want to risk the possibility that an 
intruder could exploit a vulnerability or crack a 
weak password. 


In any of these cases, you should consider using 
a dial-up connection instead. You'll need a 
modem that’s configured to answer automatically, 
along with a telephone line that you can dedicate 
to incoming data calls. Transmission speeds, of 
course, will be only a fraction of those you can 
expect from a broadband connection. The payoff, 
though, is that you can expect your incoming 
connection to be more secure than one accessed 
over the Internet. To make a connection, a 
remote user needs to know the right phone 
number and have the logon credentials you 
define for the connection. 


To create the connection, follow the same steps 
described in Setting_Up a Virtual Private Network, 
but replace steps 6 through 8 with these steps: 


6. On the Devices For Incoming 
Connections page, select the 
modem you want to use. 


7. On the Incoming Virtual Private 
Network (VPN) Configuration page, 
select Do Not Allow Virtual Private 
Connections. 


8. On the User Permissions page, 
select the check box next to the 
name of each user you want to 
allow to make an incoming 
connection. 


As an extra security precaution (and a potential 
cost-saving measure), you can set callback 
options. To set callback options for a particular 
user, select the user name, click Properties, and 
then click the Callback tab. If you select an option 
other than Do Not Allow Callback, when your 
computer receives a call, it authenticates the 
user, disconnects the call, and then dials the 
user’s modem. Use the following guidelines to 
make your selection: 


e Select Do Not Allow Callback if you 
want the remote user to make a 
connection with a single call to your 
computer. 


e Select Allow The Caller To Set The 
Callback Number if you want the 
caller to be able to specify a phone 
number for a return call. 


e Select Always Use The Following 
Callback Number and specify a 
phone number if you want your 
computer to call the user ata 
particular number. This reduces the 
likelihood that an intruder who has 
come upon a valid user name and 
password can access your system. 


Part 4 


Extreme Security 


Chapter 17 


Securing Ports and Protocols 


Controlling network access is an important part of 
system security, and on a network such as the 
Internet, based on Transmission Control 
Protocol/Internet Protocol (TCP/IP), that means 
controlling access to ports. By monitoring and 
limiting the types of connections that applications 
and computers make to your system, you can 
greatly reduce the chances that the system will 
be compromised. 


In this chapter, we first explain how ports and 
protocols work. We then show you how to 
determine which ports are being used and, more 
important, which programs are using them. 
Armed with that information, you can restrict 
access to ports other than the ones legitimately 
used by your programs, as we explain in the next 
section. 


The rest of the chapter covers the topic of 
services, specialized programs that perform 
functions to support other programs and services. 
Many services control, to one degree or another, 
the use of ports. For this reason—and because 
services typically run in the context of a 
privileged user account such as System or Local 
Service—understanding and managing services 
are important steps in securing your computer 
and your network. The final sections of the 
chapter provide more details about a particular 
collection of services—Internet Information 
Services, or IIS—that allow other users to 
connect to your computer over the Internet. 
Naturally, you'll want to take extra care in 
configuring these services. 


Security Checklist: Ports, 
Protocols, and Services 


e See which ports are 
open for incoming 
connections. 


Determine which 
services and applications 
are using the open 
ports. 


Use TCP/IP filtering to 
block access to ports 
other than ones you 
explicitly need open. 


Disable unneeded 
services. 


If you use Internet 
Information Services 
(IIS) as a server for 
Web, FTP, or SMTP 
access, disable the 
services you don’t need. 


Unless you're using IIS 
for public Internet 
access, disable 
anonymous access. 


Run the IIS Lockdown 
tool. 


How Ports and Protocols Allow 
Access to Your Computer 


For two computers to connect to each other 
through TCP/IP over the Internet, both have to 
agree on which port number (from 1 to 65535) 
and protocol they will use. (A port, in this 
context, is not a physical connector, such as a 
serial port. Rather, it’s a somewhat arbitrary 
number that two computers use to identify a 
particular network communications channel.) To 
establish a connection, the computer at the 
originating end specifies the IP address of the 
destination computer and the agreed-upon port 
number. The destination computer listens on the 
agreed-upon port number until a computer—any 
computer—sends it a message. The receiving 
computer can check the address of the 
originating computer and the information sent in 
the message to decide whether to accept the 
connection. 


On the Internet, computers primarily use either 
of two communications protocols between ports: 
Transmission Control Protocol (TCP) and User 
Datagram Protocol (UDP). In TCP communication, 
the two computers set up a long-lasting 
connection to ensure that messages are received 
reliably. For example, if a computer sends a data 
packet on a TCP connection and the packet is lost 
or corrupted for any reason, the network 
software on both computers will cooperate to 
have the data retransmitted. 


The second protocol, UDP, lets a computer send a 
simple one-packet message to another computer. 
If a UDP message is lost on its way to the 

destination, the sending computer has no way of 


knowing that it was lost. However, this lack of 
knowledge isn’t always a disadvantage. UDP is a 
low-overhead protocol, so little software is 
required to implement it. Applications can use 
UDP messages in situations in which data delivery 
isn’t crucial and keeping communication overhead 
low is important. For example, applications that 
stream media such as video over the Internet 
typically use UDP messages. In such applications, 
a few lost bytes are less likely to be noticed than 
the delays that would be incurred by using an 
error-correcting protocol to retrieve lost packets. 


More than a hundred Internet protocol 
types are defined, but only TCP and 
UDP are commonly used by 
applications. TCP/IP network software 
stacks use a third protocol, called 
Internet Control Message Protocol 


(ICMP), to communicate between 
themselves. ICMP messages do not 
use port numbers because the TCP/IP 
stack always processes them. One 
example of an ICMP message is the 
ECHO packet sent out by the Ping and 
Tracert command-line utilities. 


How Ports Are Assigned 


Ports and protocols are closely tied together 
because in most cases only one application 
listens on a port. To connect to an application, 
you must know what port it is listening on and 
what protocols it expects to use. Usually at least 
two protocols are involved. The low-level 
protocols (TCP and UDP) take care only of 
transmitting messages between the two 
computers; they don’t concern themselves with 
the actual content or meaning of the messages. 
Another application-layer protocol defines what 
the messages mean. For example, a Web browser 
and a server communicate using the HTTP 
application protocol on top of TCP. Hypertext 
Transfer Protocol (HTTP) defines what it means 
for a Web browser to send “GET /default.htm” to 
a server; the TCP protocol simply makes sure 
that the message goes through. 


The Internet community has agreed to certain 
standard application port number assignments so 
that when you want to contact the public Web 
server at http://www. microsoft.com, for 
example, you always use port 80, the designated 
port for HTTP. A group called the Internet 
Assigned Numbers Authority (IANA) is officially 
responsible for assigning port numbers in the 
range 1 through 1023 (well-known ports) and 
also coordinates the registration of port numbers 
in the range 1024 through 49151 (registered 
ports) as a service to Internet developers. Port 
numbers from 49152 through 65535 are not 
managed by the IANA at all and are generally 
used by each application in a unique way. The 
IANA has registered more than 6,000 ports; a 


complete list is available at 


http://www. iana.org/assignments/port-numbers. 


The IANA list of ports indicates 
whether a particular application or 
service supports UDP, TCP, or both 
protocols. Two completely different 
applications or services on a computer 
can use the same port number but 


different protocols; the TCP/IP 
protocol stack always knows where to 
send the message based on the 
protocol type. Fortunately, the IANA 
doesn’t allow this situation with well- 
known ports because it could cause 
human confusion. 


Thanks to the standardization of port 
assignments, client and server applications that 
use common protocols such as HTTP, Post Office 
Protocol (POP3), and File Transfer Protocol (FTP) 
can use the standard port numbers and, virtually 
all of the time, their connection will be successful. 
Default port numbers are changed so seldom that 
most applications put that information in rarely 
visited setup dialog boxes. 


Table 17-1 lists some common port numbers 
you're likely to encounter on a Microsoft 
Windows-based network. In some cases, the 
name of the service in this table won’t match 
what you see on the IANA list. The table reflects 
real-life current names and usage, even if the use 
was never reflected in the official IANA 
document. The IANA lists port 3389, for example, 
as “MS WBT Server,” indicating its early use by 
Windows-Based Terminal Server; but Microsoft’s 
most recent name for this service is Remote 
Desktop Protocol. Contrary to the IANA 
assignments, port 22 was used by PC Anywhere 


until version 7.51 even though that port was 
originally intended only for the Unix-based 
Secure Shell Remote Login service. Although PC 
Anywhere 7.52 now uses its own assigned ports 
by default, it can still be configured to use the old 
port numbers as well. 


Table 17-1. Commonly Used Ports and Protocols 


Port Protocol Description 

21 FTP File Transfer 
Protocol 

22, 65301 PC PC Anywhere 

Anywhere versions up to 

7.51 

23 Telnet Character-oriented 
terminal 
connection 

25 SMTP Simple Mail 


Transfer Protocol 


80 HTTP Hypertext Transfer 
Protocol 
110 POP3 Post Office 


Protocol version 3 


119 NNTP Network News 
Transfer Protocol 


123 NTP Network Time 
Protocol 


Port 


135 


137, 138, 


139 


143 


161 


443 


445 


1723 


1900, 


5000 


3389 


5190 


Protocol 


epmap 


NETBIOS 


IMAP 


SNMP 


HTTPS 


SMB 


PPTP 


UPnP 


RDP 


AOL 


Description 


Endpoint Mapper 


NetBIOS over 
TCP/IP 


Internet Message 
Access Protocol 


Simple Network 
Management 
Protocol 


Secure HTTP 


Server Message 
Block over TCP/IP 


Point-to-Point 
Tunneling Protocol 


Universal Plug and 
Play 


Remote Desktop 
Protocol (Terminal 
Services) 


America Online, 
AOL Instant 
Messenger 


Port Protocol Description 


5631,5632 PCAnywhere PC Anywhere 
version 7.52 and 
later 


5900, VNC Virtual Network 
59xx Computing 


Unofficial Port Usage 


Although some Internet conventions advise the 
use of certain ports for specific protocols, no rule 
absolutely decrees that you must use these ports. 
For example, you can set up your Web server to 
use port 21, even though the IANA has assigned 
that port to FTP. To connect to the server, remote 
computers would need to specify the nonstandard 
port number. Many applications that aren’t full- 
blown Web servers need a way for users to 
manage them using a Web browser; such 
applications can set up a simple HTTP-based Web 
interface on a port other than 80. Commonly 
used port numbers for Web-based services (other 
than the standard port 80) include 8080, 8081, 
8181, 8282, and 8383. Web browsers such as 
Microsoft Internet Explorer make it easy to 
specify a nonstandard port number: Simply 
append a colon and a port number to the 
address. For example, to reach a Microsoft Web 
server on port 8080, the URL would be 
http://www. microsoft.com: 8080/. Other 
applications, such as an FTP client, usually 
provide a way to specify the port number as part 
of the connection setup. 


Trojan horse programs are another type of 
software that can make use of obscure and 
nonstandard port numbers. The Trojan horse 
itself often enters a system through an email 
message or a network share. Once it’s on the 
system and activated, the program usually starts 
listening on a port for instructions. Hundreds of 
Trojan horse programs are floating around the 
Internet, and they use almost every port number 
you can imagine. The early versions of NetBus 
and Back Orifice used ports 12345 and 31337, 


respectively, but dozens of other ports are now in 
use. A Trojan horse might even intentionally use 
a standard port such as 80 or 21 in the hope that 
those ports won't be blocked at a firewall. In that 
approach, the risk for the attacker is that the 
Trojan horse might interfere with legitimate 
software and reveal itself. 


For more information about how 
Trojan horse programs work and how 


to stop them, see Trojan Horse 
Programs. 


How Connections to a Port Are Made 


When an application on one computer (the 
“originator”) wants to communicate with an 
application on another computer (the 
“destination”), it uses the operating system’s 
application programming interface (API) to create 
a network connection. The originator creates a 
message that specifies the IP address for the 
destination and the port number to be used for 
communication. Generally, the originator knows 
the number of a specific service that it wants to 
reach, so it specifies the service’s well-known 
port number, such as 80 for HTTP. As part of the 
process of creating the connection, the API 
assigns the originator a dynamic port number 
(that is, a number higher than 1023 and lower 
than 16384) that it can use for sending the 
message. 


In the case of TCP messages, the originator 
opens a connection to the destination in order to 
send the message. It can then wait for a 
response from the destination, send additional 
messages, monitor the connection for errors, and 
at some point close the connection. UDP 
messages are much more primitive: The 
originator simply uses the API to send the 
message in the direction of the destination 
computer and hopes that it gets there. 
Meanwhile, the destination must be listening on 
the port that the originator specified in order to 
receive the message. If the destination computer 
is not listening on that port, its TCP/IP network 
stack will receive the message, determine that no 
application wants to receive it, and throw it away. 


This is a key point for TCP/IP port 
security. If an application is not 


listening on a particular port, the 
TCP/IP protocol stack on that 
computer simply drops any message 
that arrives for that port. Minimizing 
the number of ports that are being 
listened to will thus reduce the 
chances of intrusions. 


If the application on the destination computer is 
listening on the port, it can receive the 
originator’s message. In a TCP connection, it can 
exchange multiple messages with the originator. 
For UDP, the connection is not persistent; the 
destination computer receives only the single 
message that was sent. Since the originator 
provides its source address and port number in 
the message it sends, the application on the 
destination computer already knows how to reach 
the originator when it replies. Thus, the 
originator's port number needn't be one of the 
well-known ports. 


Determining Which Ports Are Active 


To restrict the use of open ports, you need to know which ports are active on 
your system and which programs are using them. Although no single tool 
provides all the information you need, you can piece together the answers with 
a few tools and investigative skills. The instructions in this section show you 
how to combine the information provided by several tools to trace the program 
that is listening on a particular port. 


When port sleuthing, it’s often useful to have a list of programs that commonly 
use a particular port. Table 17-1 presented a list of the most common ports 
earlier in this chapter; a complete listing of the official assignments is at 
http://www. iana.org/assignments/port-numbers. When tracking down Trojan 
horse programs, you might also want a list of the ports they commonly use. 
The Network Ice site maintains a list organized by port number at 


http://www.iss.net/security_center/advice/Exploits/Ports/default.htm. 


Trojan horse programs often use port numbers that are also used by 
legitimate programs and system components. Do not assume that a 
system has been infected simply because you see a program 
listening on a port number that is known to be used by a particular 
Trojan horse. For example, the “Sockets de Trois” Trojan often uses 
port 5000, but so does the legitimate Simple Service Discovery 
Protocol (SSDP) Discovery Service. 


Task Manager, shown in Figure 17-1, is an important tool because it tells you 
what processes are running. To open Task Manager, press Ctrl+Shift+Esc. Click 
the Processes tab and be sure the Show Processes From All Users check box is 
selected. To sort by one of the columns, click the column heading; it’s often 
convenient to sort by process identifier (PID) if you’re looking up these 
numbers frequently. By default, Task Manager stays on top of all other 
windows, which can be annoying when you are working with multiple windows. 
You can turn off this option by choosing Options, Always On Top. 


“Figure 17-1. Task Manager provides the list of process identifier 
numbers you need to track down port usage. 


In Windows XP, Task Manager doesn’t display the PID on the 
Processes tab by default, but you can easily add it to the display. 
With the Processes tab showing, choose View, Select Columns. Then 
select PID (Process Identifier) and click OK. 


Another valuable tool for the port tracker’s kit is Tasklist (Windows XP) or Tlist 
(Windows 2000): 


e The Tasklist command is part of the standard installation for 
Windows XP, so it’s available from a command prompt. The most 
useful command option for matching up services with the ports 
on which they are listening is the command tasklist /svc, which 
displays the names of the services along with the PID and the 
image (.exe file) hosting that service. 


e In Windows 2000, the Tlist command supplies comparable 
information. It is an optional component available on the 
Windows 2000 Professional CD. To install Tlist, navigate to the 
CD’s \Support\Tools folder and run Setup. Once Tlist is installed, 
you can run it from a command prompt. The command that helps 
identify ports is tlist -s, which shows the services running. 


As a Starting point for investigation, the Netstat command-line program can 
provide much of the detail you need about ports. To use it, open a Command 


Prompt window. If you type in the simplest form of the command, netstat with 


no command-line arguments, the command shows which ports are being 
actively used. To find out which program is using each connection, add the -O 
(owner) argument to the command line. This argument displays the process 
identifier that has opened the connection. Using the PID displayed by Netstat, 
you can look up the name of the program in Task Manager. 


The Netstat, Tasklist, and Tlist commands have many options 
besides the ones mentioned here. To see a full list of the options 
available for a command, type the command name followed by -? at 
the command prompt. 


Here are the results of a Netstat -O command executed immediately after 
connecting to the microsoft.com site with Internet Explorer: 


Proto Local Address Foreign Address State 

TCP gargan:1125 MMLCAOSOIEE COME ALEO ESTABLISHED 
TOP gargan:1126 MLCLOSOF C COMI AETO ESTABLISHED 
TCE gargan:1127 C cil CLOSOiNC COMS ATTO ESTABLISHED 


In this case, the PID is the process identifier for Internet Explorer, as you might 


expect. By default, Netstat shows the names of the addresses and ports rather 


than the numbers when the names are available. The local system name is 
Gargan, and the three local ports listed are dynamically allocated and given to 
Internet Explorer as needed. Because Internet Explorer specified the “keep- 
alive” option for its connections with Microsoft’s Web server, each connection 
stays active for about a minute after the last request is made. If you click to 
another page on the Microsoft site, Internet Explorer reuses the existing 
connection to make the access faster. 


If the system has no active connections on the network, the Netstat -O 
command shows nothing. However, every network-connected system is 
listening on at least a few ports, waiting for connections. The -A option for 
Netstat shows all ports that have any kind of activity, including a program 
listening on them. Combining the -A and -O options with the -N option tells 
Netstat to show the IP addresses and port numbers instead of names. If you 
enter netstat -aon, the output looks like this: 


Proto Local Address Foreign Address State 

ME? O.0,.0.03135 O,0,0.020 LISTENING 
TOR M0002443 0-0-0030 LISTENING 
WE? O.0.0.031025 0, O.0.080 LISTENING 
MEN O.0.0.021030 OPROROROETO LISTENING 
TOR CEOE E 0-00-00 LISTENING 
TER O.0.0.03 5000 O.0.0.030 LISTENING 
TCP 10..0,0,.33139 O.0.0.080 LISTENING 
UDP 0.0.0.0:445 BSB td 

UDP 0.0.0.031031 BS ets 

UDP 0.0.0. 081049 BoB 

UDP 10 .0,0,38123 eon 

UDP Os0,0,33137 BS Dt 

UDP 10 ,0.0.33138 mec 

UDP 1050,0,.33 1900 re 

UDP 21 >0.0 13123 oe 

UDP Z7s0.0.181900 Ess 


Let’s go through each item in this Netstat listing, which is typical for a system 
running Windows XP or Windows 2000. IP addresses, port numbers, and PIDs 


will vary on each system, of course. 


The local IP addresses in the Netstat report all refer to the local system, 
although they’re expressed in three ways: 0.0.0.0, 127.0.0.1, and 10.0.0.3. 
The third address alternative is the one assigned to the system by the 
network’s Dynamic Host Configuration Protocol (DHCP) server. The Foreign 
Address fields are all zeros in the case of the TCP connections, and *:* in the 
case of the UDP connections. Both values indicate that the ports are waiting to 
receive a message from any IP address and any port. No connections are 
currently established. 


Now you can determine which programs are listening on these ports, starting 
from the top of the list. According to the IANA’s list of well-known ports, port 
135 is the Microsoft Locator Service, also known as the Endpoint Mapper. 
Remote computers can connect to this port on a destination computer to 
determine which ports are being used for a particular service. This lets services 
avoid the need to always use the same specific port number on a system. On 
this particular system, the port is opened by PID 944, which the Task Manager 
listing shows is an instance of Svchost.exe. Tasklist tells you that this PID is the 
RPC subsystem (RPCSS). 


Filter the Tasklist output 


When used with the /Fi switch, Tasklist displays information only 
about the particular task in which you're interested. For example, to 
see which service is running as PID 944, you could type tasklist 
/svc /fi “pid eq 944” at a command prompt. This command filters 
the output to include only lines in which the PID is equal to 944. The 
online help for Tasklist explains other parameters you can use with 
the /Fi switch. 


The IANA lists port 445 (both TCP and UDP) as Microsoft’s new Server Message 
Block (SMB) over TCP protocol, which was first implemented with Windows 
2000. This protocol was designed to replace the NetBIOS over TCP protocol 
used by older versions of Windows. (NetBIOS compatibility issues are 
discussed in “Inside Out: Securing the NetBIOS Ports.”) 


Port 1025 (TCP) is a dynamically assigned port, so the port number alone does 
not help determine what this port does. Similarly, PID 1044, the process 
listening on this port, is for another process managed by Svchost.exe, which 
hosts no fewer than 24 services. Given the tools available, determining which 
service actually has this port open isn’t possible. 


Port 1030, also a dynamically assigned port, is being used by PID 4, which is 
the System process. 


Port 3389 (TCP) is for the Remote Desktop Protocol (RDP), also known as 
Terminal Services. Because both Remote Desktop and Fast User Switching are 
enabled on this system, this port must remain open to service those requests. 


The IANA lists ports 5000 (TCP) and 1900 (UDP) as being used by the 
Universal Plug and Play (UPnP) protocol. If the SSDP Discovery Service is 
stopped, these ports no longer appear in the Netstat listing. 


Ports 1031 and 1049 (UDP) are dynamically assigned ports, and they are being 
used by PID 1152, another Svchost.exe process. Task Manager shows that the 
process is owned by the Network Service user account. Looking at the list of 
services in the Services console, the only service currently running on this 
system that logs on as Network Service is the DNS Client service. The Tasklist 
display also shows PID 1152 hosting the Dnscache service, which is a good 
double-check. These outgoing ports are used to communicate with the Domain 
Name System (DNS) server so that the local computer can cache DNS name 


lookups to increase performance. If the DNS Client service is stopped, the 
ports no longer appear in the Netstat listing. 


For information about various services and using the Services 
console, see Shutting Down Unneeded Services. 


Port 123 is assigned to the Network Time Protocol, so it is related to the 
Windows Time service. To confirm this, you can check its PID using Tasklist or 
Tlist. Alternatively, you can try an empirical test: Stop the Windows Time 
service. If the port disappears when you rerun Netstat, you've found the right 
program. 


Ports 137, 138, and 139 provide support for NetBIOS. In most Windows-based 
networks, NetBIOS is used to provide Windows file and printer sharing as well 
as computer name resolution. 


Securing the NetBIOS ports 


The most common use for NetBIOS today is to carry NetBIOS 
messages over TCP/IP, referred to as NetBT. This eliminates the 
need to install a different protocol such as NetBEUI or IPX just to 
carry local NetBIOS traffic. The security downside of NetBT is that 
careless configuration can result in opening your network to 
intruders and even broadcasting your vulnerability to everyone on 
your local Internet segment. 


Preventing Internet intrusions via NetBT is actually quite simple. Do 
not under any circumstances bind the File And Printer Sharing For 
Microsoft Networks item to any Internet-connected network 
segment. (That is, if you examine the properties dialog box for the 
network connection that connects your computer to the Internet, 
File And Printer Sharing For Microsoft Networks should not be 
selected. It’s okay—necessary, in fact, if you’re sharing your 
computer’s files or printers with other network users—to select this 
item in the properties dialog box for your local area network 
connection. If your computer connects to the Internet through 
another computer on your network, only that computer's Internet 
connection needs to have File And Printer Sharing For Microsoft 
Networks disabled.) Using Windows XP Internet Connection Firewall 
can also protect you. Alternatively, if you are using a hardware 
firewall, you are protected because the NetBIOS broadcasts are not 
passed through the firewall. 


Starting with Windows 2000, Microsoft offers the SMB over TCP 
option. This protocol eliminates the need for NetBT in Windows file 
and printer sharing, which closes the NetBIOS ports and eliminates 
the broadcast messages that NetBT generates. However, there are 
several significant restrictions. Because SMB was introduced with 
Windows 2000 and is not backward-compatible, it cannot be used 
on networks that have Windows 95/98, Windows Me, or Windows 
NT clients. Also, to eliminate NetBIOS as a name resolution agent, 
you must provide a DNS server that can resolve computer names 
for local addresses. Most small networks do not have their own DNS 
server and instead depend on the DNS server from their Internet 
service provider. 


Given the restrictions of the new SMB over TCP option, most small 
networks will need to stay with NetBT. Again, this is not a significant 
security problem as long as File And Printer Sharing is enabled only 
for the internal network and not for the Internet networking link. 


Restricting Access to Ports 


Internet architects originally envisioned assigning 
each new protocol or service its own port number 
so that it could be easily found and used on any 
computer. They succeeded, but their plan worked 
too well. Friendly computers in a local network 
can find the services easily, but so can any 
computer connected to the Internet, whether it’s 
being used by friend or foe. Paring down the list 
of ports that can be accessed in your network is 
an essential security measure. 


Windows includes three different mechanisms 
that can help secure a system by filtering traffic: 


e Internet Connection Firewall 
(available only in Windows XP) is an 
easy-to-configure tool that you can 
use to block all incoming traffic 
except for responses to 
communications initiated by your 
computer. This prevents hackers 
from trying to access ports that 
might have listeners running. 


TCP/IP filters can be used to permit 
or deny traffic based on source 
address/port/protocol and 
destination address/port/protocol. 
This filter mechanism is typically 
used by a more sophisticated 
administrator who needs to allow 
incoming traffic to a listener. 


IP Security (IPSec) is similar to 
TCP/IP filters but it provides the 
ability to secure traffic through 
encryption and authentication. 


IPSec filters are typically used by 
very sophisticated administrators 
who want to permit incoming traffic 
while protecting against hackers 
and eavesdroppers. 


The following sections discuss each of these 
mechanisms. 


Restricting Ports with Internet 
Connection Firewall 


Windows XP provides the Internet Connection 
Firewall (ICF) feature to let you control which 
ports are open to the Internet. If you are also 
using the Internet Connection Sharing (ICS) 
feature, you should turn on ICF for the system 
that is running ICS so that the entire network is 
protected. If your system has a direct connection 
to the Internet, you can protect that connection 
with ICF directly. 


For details about configuring Internet 
Connection Firewall, see Using 


Internet Connection Firewall in 
Windows XP. 


Restricting Ports Using TCP/IP Filtering 


In both Windows XP and Windows 2000, the 
TCP/IP protocol stack has an option that lets you 
apply a filter. This capability is limited because it 
filters only incoming packets and does not allow 
filtering by IP address. To configure TCP/IP 
filtering, follow these steps: 


1. In Control Panel, open Network 
Connections. (In Windows 2000, 
the Control Panel item is named 
Network And Dial-Up Connections.) 


2. Right-click the Local Area Network 
connection and choose Properties. 


3. On the General tab, select Internet 
Protocol (TCP/IP) and click 
Properties. 


4. On the General tab of the Internet 
Protocol (TCP/IP) Properties dialog 
box, click Advanced. 


5. In the Advanced TCP/IP Settings 
dialog box, click the Options tab. 


6. In the Optional Settings box, select 
TCP/IP Filtering and then click 
Properties. 


7. In the TCP/IP Filtering dialog box, 
shown in Figure 17-2, select Enable 
TCP/IP Filtering (All Adapters) to 
enable filtering. 


“-Figure 17-2. Options to 
restrict TCP/IP traffic are well 
hidden. 


In this dialog box, you'll see the options to 
restrict traffic for TCP ports, UDP ports, and 
protocol numbers. For each option, you can 
permit all ports or protocols or limit the allowed 
port or protocol numbers to a list that you 
provide. If you select Permit Only, you then add 
the port or protocol numbers on which you want 
to allow incoming connections; all others will be 
closed. Because the filtering you set here is for 
incoming packets only, you need to open only the 
ports that you want other computers to access. 
For example, if you run a Web server, you need 
to open port 80 so that anyone wanting to reach 
your site can do so. You don’t need to open port 
80 to reach another Web site yourself because 
outgoing connections you establish are not 
blocked. Having the option to allow all ports 
except certain specified ones would often be 
useful, but that option is not available here. 


The IP Protocol filter isn’t very effective because 
nearly all Internet traffic you might want to block 
selectively comes through TCP, UDP, or ICMP 
(protocol numbers 6, 17, and 1, respectively).You 
can’t filter out these protocols because they’re 
essential to many services. One notable 
exception: Microsoft’s Point-to-Point Tunneling 
Protocol (PPTP) uses the Generic Routing 
Encapsulation (GRE) protocol, number 47. The 
IANA maintains a complete list of protocol 
numbers at 
http://www.iana.org/assignments/protocol- 


numbers. 


In most cases, the TCP/IP Filtering dialog box 
does not offer enough flexibility to serve as a 
useful security tool. The most critical limitation is 
that the filtering applies to all network adapters 
on the system. In a system acting as an Internet 


firewall, you typically want to apply more 
restrictive filters to the Internet connection than 
you would to the local network connection. If 
you're looking for a software filter on Windows XP 
systems, use Internet Connection Firewall instead 
because it provides much better control over the 
types and methods of traffic filtering. 


Restricting Ports Using a Hardware 
Firewall 


Although software firewalls and filters offer some 
protection against intrusion, they have a major 
weakness: They’re trying to protect the computer 
they’re running on. A virus or a Trojan horse 
program that managed to run on a system could 
easily disable a software firewall, leaving it open 
to further attacks. A hardware firewall reduces 
the risk from attacks by filtering Internet packets 
before they arrive at the computers on the local 
network. Although a hardware firewall does use 
software, it is special-purpose software running 
only the most basic functions required to process 
and filter network packets. That makes it difficult 
for such common attackers as Trojan horses and 
virus-infected e-mail messages to compromise a 
hardware firewall. 


For more information about hardware 


firewalls, see Using_a Hardware 
Firewall Appliance. 


Restricting Ports Using IP Security 


IP Security (IPSec) is a broad security 
mechanism meant to overcome many of the 
security limitations of IP. Because all network 
activity in Windows XP and Windows 2000 uses 
IP by default, IPSec provides an important 
service for all network connections, incoming as 
well as outgoing. IPSec uses a filtering model to 
recognize specific IP traffic; recognized traffic can 
be blocked, permitted, or permitted after 
securing it with authentication, encryption, or 
both. 


Because it supports authentication and 
encryption, IPSec is often associated with virtual 
private networks (VPNs) and wireless local area 
networks—situations in which eavesdropping is 
possible and must be foiled. But IPSec can be 
used to secure any network connection. 


Unlike TCP/IP filtering, which merely determines 
which IP packets to allow into your computer, 
IPSec negotiates a security association between 
two computers (sometimes referred to as end-to- 
end security.) The security actions take place on 
each computer through the negotiated link. 
Although TCP/IP filtering is a part of IPSec, IPSec 
encompasses other security protocols, including 
packet filtering. The packet filtering that IPSec 
uses has more flexibility than the filtering 
discussed earlier in this chapter. 


A combination of configuration settings for all the 
associated protocols in IPSec is called a ru/e, or a 
filter rule. An IPSec policy is a collection of one or 
more rules. You can enable only one IPSec policy 
at a time, but the policy might have several rules. 
Each rule is made up of five components: 


e Filter List. Consists of one or more 
packet filtering definitions for 
filtering on protocol, source 
address/port/mask, and destination 
address/port/mask. Filter lists are 
named and stored for use in 
multiple rules. You can configure 
only one filter list per rule. A 
sample filter for closing port 139 is 
shown here. Although this example 
shows only one filter in the list, you 
can include as many filters as 
needed. 


“Filter Action. Provides 
direction on what the filter does 
with connections matching the filter 
criteria: permit, block, or negotiate 
a secure connection. 


e Authentication Methods. Offers a 
selection of user authentication 
methods: Kerberos, certificate, or 
code/key. Kerberos V5 protocol 
uses domain user accounts. 
Therefore, if the computers you are 
connecting are not in the same 
domain or in mutually trusted 
domains, you must use one of the 
other authentication methods. You 
can require that the computer 
attempting a connection have a 
server certificate from a selected 
certification authority (CA). You 
select the CA from your Trusted CA 
list. You can also use an 
alphanumeric key. If you use a 
preset key, both computers must 


have exactly the same key 
configured. 


e Tunnel Setting. Determines 
whether a connection can use a 
virtual private network. If you want 
the rule to allow a VPN connection, 
you configure the IP address of the 
requesting computer. Note that you 
can configure only one tunneling 
connection per rule. To allow 
multiple computers to request a 
VPN connection, you must create a 
rule for each computer and select 
each rule for the active policy. 


e Connection. Determines the 
connections to which this rule 
should be applied: all, dial-up, or 
network. 


You might use a single filter or filter action in 
more than one rule. For example, if you want 
incoming SMTP and FTP communications to be 
encrypted, you need to set up a rule for SMTP 
and a rule for FTP that both use the same filter 
action. You can create reusable lists of filters and 
filter actions that facilitate setting up multiple 
rules with common elements. 


Creating an IPSec Policy 


IPSec policies are managed through the IP 
Security Policy Management extension of the 
Security Settings extension, which is itself an 
extension of the Group Policy snap-in for 
Microsoft Management Console (MMC). If you’re 
using Windows XP Professional or Windows 2000, 
the easiest way to locate this extension is to open 


the Local Security Settings console: In Control 
Panel, open Administrative Tools (in the 
Performance And Maintenance category), Local 
Security Policy. Alternatively, type secpol.msc at 
a command prompt. 


If you use Windows XP Home Edition, the Local 
Security Settings console is not available. To set 
up a console with the IPSec Security Policy 
Management snap-in, follow these steps: 


1. Ata command prompt, type mmc 
to open Microsoft Management 
Console. 


2. Choose File, Add/Remove Snap-In 
(or press Ctrl+M). 


3. In the Add/Remove Snap-In dialog 
box, click Add. 


4. Select IP Security Policy 
Management and click Add. 


5. In the Select Computer Or Domain 
dialog box, select Local Computer. 
Click Finish. 


6. In the Add Standalone Snap-In 
dialog box, click Close. In the 
Add/Remove Snap-In dialog box, 
click OK. 


Regardless of how you display the IP Security 
Policies extension in MMC, you need to select IP 
Security Policies On Local Computer in the tree 
pane in order to work with IPSec policies. 


The user interface for creating IPSec policies can 
be a bit confusing. It provides property dialog 
boxes for the policy, each rule, each filter list, and 
each action. You must use one wizard but can use 


as many as four wizards. Use the IP Security 
Policy Wizard to create the shell for your new 
policy. From there, you can add rules to the 
policy and then add filter lists and filter actions to 
the rules—either by running wizards or by editing 
the properties dialog boxes for the rules, filter 
lists, and filter actions directly. The following 
sections explain each of these procedures. 


Create the Policy Shell 


1. Choose Action, Create IP Security 
Policy to start the IP Security Policy 
Wizard. Click Next. 


2. Enter a name for the policy and, 
optionally, a description. Click Next. 


3. The default response filter rule 
enforces Kerberos authentication 
and a custom security scheme and 
is used when no other filter rule 
applies. If you want to include this 
default rule in your policy, leave 
Activate The Default Response Rule 
selected. Otherwise, clear the check 
box. Click Next. 


4. If you chose to use the default rule, 
the wizard asks you for an 
authentication method to use for 
that rule. Make a selection and click 
Next. 


Add Filter Rules to the Policy 


At this point, you have created the shell of your 
policy. You now need to fill out the filter rules. 


1. Make sure that Edit Properties is 
selected, and then click Finish. The 
properties dialog box for your new 
policy appears. If you selected the 
default response rule, it is selected 
in the IP Security Rules list. Now 
you can add the primary rule(s) for 
this policy. 


2:"Make sure that Use Add Wizard 
is selected, and click Add to start 
the Security Rule Wizard. (If you 
feel confident, clear Use Add 
Wizard. When you click Add, the 
New Rule Properties dialog box 
appears. Fill out each tab according 
to the steps that follow.) Click Next. 


3. If this rule is to allow a VPN 
connection, select The Tunnel 
Endpoint Is Specified By This IP 
Address, and enter the IP address 
of the computer that will be 
requesting the connection. 
Otherwise, leave This Rule Does 
Not Specify A Tunnel selected. (In 
the properties dialog box, these 
options are on the Tunnel Setting 
tab.) Click Next. 


You need to create a 
rule for each computer 


that might be requesting 
a VPN connection. 


4. Select the network connections to 
which you want to apply this policy 
(Connection Type tab). Remote 
Access refers to dial-up 
connections. Click Next. 


5. Select the authentication method 
for this rule (Authentication 
Methods tab). Click Next. 


Add Filter Lists to the Filter Rule 


Now you need to select or define the filter list you 
want to use for this rule. If you’re using the 
Security Rule Wizard, the list of predefined filters 
is displayed, as shown here. You'll find 
comparable settings on the IP Filter List tab of 
the properties dialog box. 


Fa 


1. If the filter list you want to use is 
already defined, select it in the list 
and skip to the next section, “Finish 
Configuring the Rule.” Otherwise, 
click Add to define a new filter list. 


2. In the IP Filter List dialog box, 
which is a shell for new filter lists, 
enter a name and description for 
the new filter list. 


3. With Use Add Wizard selected, click 
Add to add a filter to this list. (If 
you feel confident, clear Use Add 
Wizard. When you click Add, the 
Filter Properties dialog box appears. 
Fill out each tab according to the 
following steps.) 


Filter lists are saved by 
name and can be used 
in multiple rules. 


4. On the first page of the IP Filter 
Wizard, click Next. 


5. In the drop-down list, select the 
source address of the packets. (In 
the Filter Properties dialog box, the 
list is on the Addressing tab.) If you 
are creating a filter for a VPN 
connection, select A Specific IP 
Address for the source and My IP 
Address for the destination. Enter 
the IP address of the computer 
requesting the VPN connection as 
the source IP address.Click Next. 


6°*In the drop-down list, select the 
destination address of the packets. 
(In the Filter Properties dialog box, 
use the Addressing tab.) The 
options are the same as for the 
source. Click Next. 


7. Select the protocol. (In the Filter 
Properties dialog box, use the 
Protocol tab.) Common selections 
are Any, TCP, UDP, and ICMP. Click 
Next. Depending on your selection, 
you might need to select the port 
numbers to filter. 


8. Click Finish to return to the IP Filter 
List dialog box. If you want to add 
another filter, click Add and repeat 
the preceding process. 


Filters are not applied in 
the order in which they 
are listed; rather, they 
are generally applied 
from most specific to 
least specific. This 
ordering is not 
guaranteed during 


system startup, so some 
anomalous behavior can 
occur at that time. 


9. When you finish adding filters to 
the filter list, click OK (or Close in 
Windows 2000) to return to the 
Security Rule Wizard. (If you’ve 
skipped the wizards, you return to 
the New Rule Properties dialog 
box.) Select the filter list you just 
created. Click Next. 


Finish Configuring the Rule 


1. Select an action to perform on 
packets matching the filter. (In the 
New Rule Properties dialog box, the 
list is on the Filter Action tab.) Pick 
one of the default actions or click 
Add to run the Filter Action Wizard 
and create a new action. (To see 
the properties dialog box for one of 
the default actions, select the 
action and then click Edit. The 
Require Security Properties dialog 
box is shown here.) Click Next and 
then click Finish. 


“On the wizard page, click Next 
and then click Finish. 


Filter actions are saved 


by name and can be 
used in multiple rules. 


2. Click OK. That rule is now defined. 
If you want to add another rule, 
click Add and repeat the process. 
As you add each rule, it appears in 


the IP Security Rules list in the 
properties dialog box for the policy. 
When you've added all the rules 
you want for your policy, click 
Close. 


Enabling an IPSec Policy 


In the Local Security Settings console, right-click 
the policy you want to enable and choose Assign 
(the IPSec term for enable). That policy is now 
enabled. If any other policy had been assigned 
previously, it becomes unassigned. 


Modifying an IPSec Policy 


As discussed earlier, IPSec policies have rules 
made up of filter lists, filter actions, 
authentication methods, tunnel settings, and 
connection types. Policies, filter lists, and filter 
actions are entities with names and associated 
configuration settings. Therefore, you can edit 
filter lists and filter actions on their own or 
through the policies that contain them. 


In the IP Security On Local Machine folder in the 
Local Security Settings console, choose Action, 
Manage IP Filter Lists And Filter Actions to open 
the dialog box shown in Figure 17-3. Select the 
filter list or filter action you want to modify, and 
click Edit. The corresponding properties dialog 
box opens, in which you can edit the 
configuration settings. These changes are 
reflected in each policy that uses the specific 
filter list or filter action. 


“-Figure 17-3. You can edit filter lists and 
filter actions directly. 


To modify an IPSec policy, select the policy in the 
Local Security Settings console, and then choose 
Action, Properties. The policy properties dialog 
box appears, similar to the one shown in Figure 
17-4. Select the rule you want to edit, and then 
click Edit to display the Edit Rule Properties dialog 
box. This is the same dialog box you see if you 
don’t use the wizard to create new rules. Each 
tab in this dialog box contains the setting for one 
of the five elements of an IPSec rule. 


“-Figure 17-4. You can modify an IPSec 
policy in its properties dialog box. 


Monitoring IPSec 


The IP Security Monitor tool displays information 
for each active security association. IP Security 
Monitor can also provide statistics about security 
associations, key usage, bytes sent and received, 
and other items. 


In Windows XP, IP Security Monitor is 
implemented as an MMC snap-in, as shown in 
Figure 17-5. To create a console with IP Security 
Monitor, follow these steps: 


1. At a command prompt, type mmc 
to open Microsoft Management 
Console. 


2. Choose File, Add/Remove Snap-In 
(or press Ctrl+M). 


3. In the Add/Remove Snap-In dialog 
box, click Add. 


4. Select IP Security Monitor and click 
Add. 


5. In the Add Standalone Snap-In 
dialog box, click Close. In the 
Add/Remove Snap-In dialog box, 
click OK. 


6. If you want to monitor other 
network computers running 
Windows XP, right-click IP Security 
Monitor in the tree pane, and 
choose Add Computer. 


“-Figure 17-5. IP Security 
Monitor in Windows XP appears 
in MMC. 


In Windows 2000, IP Security Monitor is a stand- 
alone program, as shown in Figure 17-6. To start 
IP Security Monitor, type ipsecmon at a 
command prompt. 


“-Figure 17-6. IP Security Monitor in 
Windows 2000 presents a plethora of 
Statistics about IPSec. 


Why Blocking Ports Isn't 
Enough 


As firewall solutions became popular in the mid- 
1990s, Internet application developers found that 
their software wouldn’t work across many 
firewall-guarded networks. Network 
administrators had done their job well and locked 
down all but a small handful of ports, such as 
HTTP port 80. Unfortunately, users behind a 
firewall now couldn’t use services such as 
RealAudio or AOL Instant Messenger that used 
other ports. Users who wanted these services 
could ask their network administrators to open 
the ports, but users had to know enough to ask, 
and administrators weren’t obligated to say yes. 


To circumvent this problem of blocked ports, 
application developers started using commonly 
open ports like HTTP port 80 to provide their 
services. Newer standards such as Simple Object 
Access Protocol (SOAP) are based on the ability 
to send requests via HTTP using XML (Extensible 
Markup Language). With so many applications 
now sending their non-Web-page traffic over 
HTTP in some way or another, even a carefully 
firewalled network can be porous to a wide 
variety of services. Several Trojan horse 
programs that exploit HTTP have circulated as 
well. Since outgoing Web traffic is rarely blocked, 
these programs can effectively communicate on 
nearly any network. 


One important countermeasure to combat 
malicious software is to minimize the amount of 
software that is run on your system. Only 
essential services and applications should be 


running; you should stop or disable everything 
else. 


Shutting Down Unneeded 
Services 


Windows XP and Windows 2000 offer a lot of 
services, and too many of them are up and 
running by default. By shutting down the services 
that you don’t need or use, you'll improve both 
security and performance. 


A service is a program that runs continuously in 
the background, processing requests from other 
programs or from the network. Services don’t 
interact with the user directly, the way an 
application such as Microsoft Word or Excel might. 
Instead, you usually configure the behavior of 
services through the Services console (shown in 
Figure 17-7) or, in some cases, through registry 
settings. 


“-Figure 17-7. Windows provides a lot of 
services, but most systems don't need all of 
them running. 


To start the Services console, open Control Panel, 
Administrative Tools (in the Performance And 
Maintenance category), Services. If you prefer to 
use a command prompt, simply type 
services.msc. The Services snap-in also appears 
as part of Computer Management, which you can 
start by right-clicking My Computer and choosing 
Manage or by typing compmgmt.msc at a 
command prompt. 


In the Services console, services that are 
currently running are designated as Started in the 
Status field. All other services are not running. 
The Startup Type field indicates when and whether 
Windows starts the service: If the type is 
Automatic, the service starts when Windows 
boots. A startup type of Manual means the service 


starts only if a program requests one of the 
features the service provides. A service whose 
startup type is Disabled never starts, even if 
another program needs it. 


Disabling a service that’s critical to 
system operation can render your 
computer unbootable. Stopping some 
services can cause subtle problems 
that are quite difficult to trace. In 
many cases, you should take additional 


steps before stopping a service to 
make sure that Windows is properly 
informed that you don’t want to use 
that service. Read the information for 
each service before deciding whether 
to change its startup type. 


When turning off a service that you think your 
system isn’t using, a safe first step is to stop the 
service without changing its startup type. Run 
your computer for a while—perhaps a few days— 
with the service stopped to be sure that it’s really 
not needed. If you see any unusual system 
behavior, restart the service to see whether that 
solves the problem. If you return to the Services 
console and find a service running that you’ve 
previously stopped, you'll know that some part of 
the system restarted the service because it was 
needed and that setting the service to Disabled 
might cause trouble. 


The Dependencies tab in the properties 
dialog box for a service provides 
additional clues about whether a 
service is expendable. It shows which 
other services depend on a particular 
service and which other services a 
particular service requires. Be sure to 


click the plus icons to fully expand the 
dependencies trees. 


If you run your computer for a few days without 
the service and all seems well, you can change 
the service’s startup type to Manual. Usually, 
Windows starts a service that is set to Manual 
when it is needed. In contrast, you should use the 
Disabled startup type only sparingly. Disabling a 
service tells Windows never to run the service, 
even if it’s needed for a critical operation. You 
might want to disable services that pose a 
significant security risk, such as Telnet or SMTP, 
but few others should receive this treatment. 


Understanding Windows Services 


In Windows XP (but not Windows 2000), the 
Services console displays a description for almost 
every service on the list—but it’s rarely detailed or 
helpful. Nearly all descriptions include a variation 
on this refrain: “If this service is stopped, it won’t 
work. If this service is disabled, services that 
depend on it won’t work either.” Table 17-2 
provides some further detail about specific 
services, what they do, and whether it’s safe to 
turn them off. Depending on your specific 
configuration, you might not have all the services 
listed here. You might also have other services not 
listed if third-party software has installed services 
as well. 


If you search the Internet, you might 
find sites that advocate stopping or 
disabling several services that we 
advise you to keep running. It is 
possible to run Windows with some of 
these additional services turned off. 


But you would be removing system 
functionality that Windows expects to 
be available. Windows and third-party 
applications might behave in 
unpredictable ways when these 
services are not running. 


Determining the Name of a Service 


As you view the properties dialog box 
for each service, you might notice that 
the service name (at the top of the 
General tab) often differs from the 
name that appears in the Services 
console (the display name) and that 
neither name matches the name of the 


service’s executable file. (In fact, the 
executable for many services is 
Services.exe or Svchost.exe.) The 
General tab shows all three names. 


When you use the Services console, 
you can find and work with a service 
knowing only its display name. But if 
you use Tasklist or Tlist to determine 
which service is run by a particular PID 
shown in Task Manager (see 
Determining Which Ports Are Active), 
you'll see only the service name. You'll 
also need to know the service name if 
you're forced to work with a service’s 
registry entries, which are found in the 
HKLM\System\CurrentControlSet\Servi 
ces\service subkey, where service is 
the service’s name. For these reasons, 
Table 17-2 includes the service name 
as well as the display name, allowing 
you to correlate the two without poring 
through properties dialog boxes. 


Like file names, the names of services 
are not case sensitive. In Table 17-2, 
we capitalize the service names as 
they appear in the registry. Although 
the programmers who developed 
Windows are obviously not very 
consistent in applying a capitalization 
style (or a naming convention), you're 
likely to see this same capitalization 
whenever a particular service name is 
mentioned in documentation. 


Table 17-2. Windows Services 


Display Name; Service 
Name 


Alerter; Alerter 


Description and 
Security 
Recommendation 


Provides an 
administrative alert 
(a pop-up message 
box) function that 
can be accessed 
via the Net Send 
command. Because 
this feature can be 
abused and is 
rarely required ina 
small office 
workgroup, you 
can stop this 
service and set it 
to Manual. 


Display Name; Service 
Name 


Application Layer Gateway 
Service; ALG 


Description and 
Security 
Recommendation 


Lets third-party 
software extend 
the functionality of 
Internet 
Connection Sharing 
(ICS) and Internet 
Connection Firewall 
(ICF). Needs to run 
only on systems 
where ICS or ICF is 
being used, such 
as a system 
connected directly 
to the Internet and 
acting as a router 
for the local 
network. On other 
systems, keep this 
service set to 
Manual. 


Display Name; Service 
Name 


Application Management; 
AppMgmt 


Description and 
Security 
Recommendation 


Intended for use in 
corporate 
installations where 
a network 
administrator 
might, for 
example, want to 
make new 
applications 
available for users 
to install. Windows 
Installer appears to 
need this service 
for installing 
applications, so 
keep it set to 
Manual so that it 
will start when 
needed. 


Display Name; Service 
Name 


Automatic Updates; wuauserv 


Description and 
Security 
Recommendation 


Checks for updates 
and patches at the 
Windows Update 
site and downloads 
them automatically 
if you have 
selected that 
option. In most 
cases, you will 
want this service 
set to Automatic. If 
you manage all 
your system 
updates centrally, 
set the service to 
Disabled. 


Display Name; Service 
Name 


Background Intelligent 
Transfer Service; BITS 


Description and 
Security 
Recommendation 


Lets programs 
download files over 
the Internet in a 
way that doesn’t 
significantly 
interfere with the 
user’s use of the 
available 
bandwidth. The 
service doesn’t 
provide a user 
interface to let you 
see which files are 
being transferred. 
With the service 
set to Manual, it 
should 
automatically start 
if a program needs 
it. 


Display Name; Service 
Name 


ClipBook; ClipSrv 


COM+ Event System; 
EventSystem 


COM+ System Application; 
COMSysApp 


Computer Browser; Browser 


Description and 
Security 
Recommendation 


Provides support 
for the obscure 
ClipBook Viewer 
application, which 
lets users share 
their Clipboard 
contents via cut 
and paste over the 
network. If you 
don’t use this 
application inside 
your network—it’s 
nearly certain that 
you don’t—you can 
disable this 
service. 


Part of the 
Windows plumbing 
for Component 
Object Model 
(COM) 
components. Keep 
these services set 
to Manual for a 
faster startup in 
some cases, but do 
not set them to 
Disabled. 


Allows a system to 
act as a “browse 
master.” Ina 
Microsoft Windows- 


Display Name; Service 
Name 


Description and 
Security 
Recommendation 


based workgroup, 
one computer is 
always designated 
the browse master 
and keeps a list of 
which computers 
are present on the 
network. If the 
browse master 
becomes 
unavailable, the 
remaining 
computers in the 
network elect a 
new browse 
master. Leave this 
service set to 
Automatic for most 
situations. If you 
stop the Computer 
Browser service on 
a computer, that 
system will no 
longer be eligible 
to act as a browse 
master. If one 
computer on your 
network is always 
on and is very 
reliable, you can 
set Computer 
Browser to 
Automatic on that 
computer and set it 


Display Name; Service 
Name 


Cryptographic Services; 
CryptSvc 


DHCP Client; Dhcp 


Description and 
Security 
Recommendation 


to Disabled on the 
others. 


Provides, among 
other things, digital 
signature 
verification for 
signed files such as 
device drivers and 
ActiveX controls. 
Leave it set to 
Automatic. 


Retrieves network 
settings from a 
Dynamic Host 
Configuration 
Protocol (DHCP) 
server when the 
system boots. If 
you configure your 
network settings 
(IP address, subnet 
mask, DNS server, 
gateway) manually, 
you can disable 
this service. Most 
networks use 
DHCP, and in those 
cases the service 
should be left set 
to Automatic. 


Display Name; Service 
Name 


Distributed Link Tracking 
Client; TrkWks 


Distributed Transaction 
Coordinator; MSDTC 


Description and 
Security 
Recommendation 


Tracks the location 
of NTFS files and 
resources on the 
network and ona 
local computer. You 
can set this service 
to Manual on 
computers in a 
workgroup. 


Supports Microsoft 
Transaction Server 
(MTS); primarily 
used in 
applications based 
on Microsoft SQL 
Server. Very few 
workstations need 
to have this service 
running, so you 
can keep it set to 
Manual. 


Display Name; Service 
Name 


DNS Client; Dnscache 


Description and 
Security 
Recommendation 


Looks up and 
caches requests for 
Domain Name 
System (DNS) 
names, aS a 
performance 
optimization. If the 
service is stopped, 
DNS requests are 
forwarded to the 
DNS server 
specified in your 
TCP/IP 
configuration 
settings. Leave this 
service set to 
Automatic if you 
want DNS caching, 
or set it to Manual 
if you do not. 


Display Name; Service 


Name 


Error Reporting Service; ERSvc 


Event Log; Eventlog 


Description and 
Security 
Recommendation 


Supports the 
Windows Error 
Reporting feature 
that sends program 
and operating 
system crash 
dumps to 
Microsoft. If you 
want to turn off 
this feature, first 
open Control Panel, 
System, Advanced 
and click Error 
Reporting. After 
disabling Error 
Reporting in the 
dialog box shown 
in Figure 17-8, you 
can set this service 
to Disabled. 


Maintains the 
system event log; 
this service should 
never be disabled. 
To see the event 
log, open Control 
Panel, 
Administrative 
Tools, Event 
Viewer 


Display Name; Service 


Name 


Fast User Switching 
Compatibility; 


FastUserSwitchingCompatibility 


Fax; Fax 


Description and 
Security 
Recommendation 


Supports the 
multiple-logon 
feature of Windows 
XP. To disable Fast 
User Switching, 
open Control Panel, 
User Accounts and 
click Change The 
Way Users Log On 
Or Off. Fast User 
Switching is 
available only for 
stand-alone 
computers or 
computers ina 
workgroup. 


Provides fax 
capabilities. This 
service is optional 
and is not installed 
by default. For 
information on 
installing and 
configuring this 
service, see 
Microsoft 
Knowledge Base 
article Q306550. 


Display Name; Service 
Name 


FTP Publishing; MSFTPSVC 


Help and Support; helpsvc 


Description and 
Security 
Recommendation 


Part of Internet 
Information 
Services (IIS). For 
best security, 
disable the FTP 
Publishing service 
unless you know 
you have a specific 
need for it. 
Disabling this 
service in the 
Services console 
makes it 
impossible to start 
any FTP server in 
the Internet 
Information 
Services console; 
you'll get an error 
message about the 
service not being 
able to start. 


Provides access to 
the Help and 
Support Center in 
Windows XP; some 
—but not all—such 
accesses cause this 
service to start. 
Set it to Manual so 
that it can start 
when needed. 


Display Name; Service 
Name 


Human Interface Device 
Access; HidServ 


IIS Admin; IISADMIN 


Description and 
Security 
Recommendation 


Handles the special 
wheels and 
navigation buttons 
on some mice and 
keyboards. A 
standard 102-key 
keyboard and 
Microsoft PS/2 
mouse do not 
require this 
service, SO you can 
set it to Manual if 
you don’t have 
exotic input 
hardware. 


Supports IIS; you 
will see this service 
if IIS has been 
installed. Leave it 
set to Automatic. If 
you require no IIS 
components (that 
is, you don’t have 
a server for Web, 
FTP, NNTP, or SMTP 
access), uninstall 
IIS through Control 
Panel, Add Or 
Remove Programs, 
Add/Remove 
Windows 
Components. 


Display Name; Service 
Name 


IMAPI CD-Burning COM 
Service; ImapiService 


Description and 
Security 
Recommendation 


Used by the built- 
in CD-burning 
feature in Windows 
XP. If you set the 
service to Manual, 
it starts when you 
send files to a CD 
drive in preparation 
for burning a CD. 


Display Name; Service 
Name 


Indexing Service; cisvc 


Description and 
Security 
Recommendation 


Potentially 
generates an index 
of every file on all 
your drives, 
making this a very 
resource-intensive 
service. You can 
control which 
directories are 
indexed through 
Start, 
Administrative 
Tools, Computer 
Management, 
Indexing Service. 
However, you 
might want to set 
Indexing Service to 
Disabled. No 
system services 
depend on it, and 
the Windows 
search function 
(Start, Search) 
performs its own 
file-by-file search 
(albeit more 
slowly) when 
Indexing Service 
isn’t running. 


Display Name; Service 
Name 


Internet Connection Firewall 
(ICF)/ Internet Connection 
Sharing (ICS); SharedAccess 


IPSEC Services; PolicyAgent 


Description and 
Security 
Recommendation 


Enables network 
address translation 
(NAT) for 
computers that 
share an Internet 
connection using 
ICS. Leave this 
service set to 
Automatic if you 
are using ICF or 
ICS. Otherwise, set 
it to Manual. 


Supports the IP 
Security Protocol 
(IPSec), which is 
used to secure 
some VPNs, 
wireless networks, 
and other 
networks. If you 
are not using 
IPSec, you can set 
this service to 
Manual. 


Display Name; Service 
Name 


Logical Disk Manager; 
dmserver 


Logical Disk Manager 
Administrative Service; 
dmadmin 


Messenger; Messenger 


Description and 
Security 
Recommendation 


Used to support 
the Disk 
Management 
console 
(Diskmgmt.msc). If 
you set these two 
services to Manual, 
they can be started 
as needed by Disk 
Management. 


Used, along with 
the Alerter service, 
by the Net Send 
command-line 
utility to send 
administrative 
alerts. If you have 
stopped Alerter 
and set it to 
Manual, you can do 
the same with 
Messenger. This 
service is not 
related to the 
Windows 
Messenger (also 
known as MSN 
Messenger) 
application. 


Display Name; Service 
Name 


MS Software Shadow Copy 
Provider; SwPrv 


Net Logon; Netlogon 


NetMeeting Remote Desktop 
Sharing; mnmsrvc 


Description and 
Security 
Recommendation 


Enables the 
Windows Backup 
volume shadow 
copy feature in 
Windows XP, which 
allows open files to 
be backed up. 
Keep this service 
set to Manual. 


Used only for logon 
in domain-based 
networks. For 
workgroup 
configurations, you 
can keep this 
service set to 
Manual. 


Supports the 
desktop sharing 
feature of Microsoft 
NetMeeting. If you 
don’t use 
NetMeeting, or if 
you want to ensure 
that this feature is 
not used on your 
system, set the 
service to Disabled. 


Display Name; Service 
Name 


Network Connections; Netman 


Network DDE; NetDDE 


Network DDE DSDM; 
NetDDEdsdm 


Description and 
Security 
Recommendation 


Manages network 
connectivity. Leave 
this service set to 
Manual; it starts 
automatically when 
it’s needed. 


Used to support 
Dynamic Data 
Exchange (DDE) 
over the network. 
The ClipBook 
service is one of 
very few programs 
that use Network 
DDE. You can keep 
both of these 
services set to 
Manual, but you 
might want to set 
them to Disabled 
to ensure that they 
are not started 
remotely. 


Display Name; Service 
Name 


Network Location Awareness 
(NLA); Nla 


Description and 
Security 
Recommendation 


Supports the ability 
to use two or more 
different network 
configurations; 
needed primarily 
for notebook 
computers (for 
example, using a 
home and office 
network). If the 
service is set to 
Manual, it is 
started 
automatically when 
needed. This 
service also starts 
if ICF or ICS is in 
use. 


Display Name; Service 


Name 


NT LM Security Support 


Provider; NtLmSsp 


Description and 
Security 
Recommendation 


Provides 
authentication for 
some remote 
procedure call 
(RPC) connections. 
Very few 
applications use 
this service. 
Microsoft Exchange 
Server does use it, 
but you are 
unlikely to 
encounter that in a 
workgroup 
network. Keep this 
service set to 
Manual. 


Display Name; Service 
Name 


Performance Logs and Alerts; 
SysmonLog 


Description and 
Security 
Recommendation 


Provides options to 
run a program and 
send a message 
when specific 
conditions occur. If 
you are not using 
performance alerts 
(you specify alerts 
using the 
Performance 
console, which you 
can open with 
Control Panel, 
Administrative 
Tools, Performance 
or by entering 
perfmon.msc at a 
command prompt), 
set this service to 
Manual. (Note that 
the “Send a 
network message” 
action ina 
performance alert 
requires the Alerter 
service to be 
running.) 


Display Name; Service 
Name 


Plug and Play; PlugPlay 


Portable Media Serial Number; 
WmdmPmSp 


Description and 
Security 
Recommendation 


Detects and 
configures Plug and 
Play hardware 
devices. Keep this 
service set to 
Automatic, and 
never disable it. 


Retrieves the serial 
number from 
portable music 
players connected 
to your computer. 
The serial number 
is required for 
transferring 
protected content 
to the player. If 
you don’t have a 
portable music 
player, you can set 
this service to 
Manual or 
Disabled. 


Display Name; Service 


Name 


Print Spooler; Spooler 


Protected Storage; 
ProtectedStorage 


Description and 
Security 
Recommendation 


Helps to organize 
and send print 
jobs. Running this 
service is 
mandatory if you 
print to either a 
local or a remote 
printer. If this 
service isn’t 
running, 
applications do not 
see any printers 
installed. You 
should leave this 
service set to 
Automatic in most 
cases. 


Stores passwords, 
private keys, and 
form data in an 
encrypted state for 
security. Microsoft 
Internet Explorer 
and Microsoft 
Outlook Express 
are two clients of 
this service. Keep 
the service set to 
Automatic. 


Display Name; Service 
Name 


QoS RSVP; RSVP 


Description and 
Security 
Recommendation 


Provides a 
mechanism for an 
application to 
nicely share 
bandwidth with 
other applications. 
(The name stands 
for Quality of 
Service Resource 
Reservation 
Protocol.) An 
application must be 
QoS-aware for this 
service to be used; 
the only common 
QoS-aware 
application that 
ships with Windows 
is NetMeeting. 
Leave this service 
set to Manual. 


Display Name; Service 


Name 


Remote Access Auto 


Connection Manager; RasAuto 


Description and 
Security 
Recommendation 


With a dial-up 
connection, 
automatically dials 
the connection 
when it detects 
that a message 
must be sent to 
the remote 
network. Most 
commonly, this 
service is used to 
connect to a dial- 
up Internet service 
provider. If you 
have no dial-up 
connections (for 
example, if you use 
a cable modem or 
DSL), you can set 
this service to 
Disabled. 


Display Name; Service 
Name 


Remote Access Connection 
Manager; RasMan 


Description and 
Security 
Recommendation 


Creates network 
connections and 
manages the 
Network 
Connections folder. 
ICF and ICS also 
require this 
service. In most 
cases, it will be 
running. Leave this 
service set to 
Manual so that it 
will start if needed. 


Display Name; Service 
Name 


Remote Desktop Help Session 
Manager; RDSessMgr 


Remote Procedure Call (RPC); 
RpcSs 


Description and 
Security 
Recommendation 


Supports the 
Remote Assistance 
feature of Windows 
XP. By default, 
Remote Assistance 
is not enabled and 
must be turned on 
(Control Panel, 
System, Remote). 
Because this 
feature could be a 
security risk, the 
most secure 
setting is to keep 
Remote Assistance 
disabled. If you are 
not using Remote 
Assistance, keep 
this service set to 
Manual or 
Disabled. 


Supports RPC 
functionality that is 
used by many 
components of 
Windows. Leave 
this service set to 
Automatic. If this 
service is turned 
off, the computer 
will not boot. 


Display Name; Service 
Name 


Remote Procedure Call (RPC) 
Locator; RpcLocator 


Remote Registry; 
RemoteRegistry 


Description and 
Security 
Recommendation 


Helps other 
computers on the 
network find RPC- 
based programs on 
this computer. 
Because this is not 
a common 
situation for a 
workstation, you 
can usually set this 
service to Manual 
with no problem. 


Lets a remote 
computer modify 
the Windows 
registry on your 
computer. For best 
security, you 
should disable this 
service. Giving this 
ability to a remote 
computer is 
sometimes useful 
for remote 
management tasks 
in a large 
corporation, but 
the potential for 
hard-to-detect 
abuse is great. 


Display Name; Service 
Name 


Removable Storage; NtmsSvc 


Description and 
Security 
Recommendation 


Used to manage 
offline storage 
media such as 
magnetic tapes or 
CD-RWs. However, 
this service is not 
well documented 
and is totally 
unused on most 
systems. You can 
keep the service 
set to Manual so 
that it will start in 
the rare case in 
which it is needed. 
If you’re curious, 
you can see the 
user interface in 
the Computer 
Management 
console; open 
Storage\Removable 
Storage. 


Display Name; Service 
Name 


Routing and Remote Access; 
RemoteAccess 


Secondary Logon; seclogon 
(known as RunAs Service in 
Windows 2000) 


Description and 
Security 
Recommendation 


Provides support 
for incoming dial- 
up and VPN 
connections. This 
service should be 
set to Manual or 
Disabled unless 
you want to 
provide remote 
access for the 
network through 
this computer. 


Lets the system 
start a process 
under an 
alternative user 
account name. This 
service can be 
used by Scheduled 
Tasks or by 
administrators, and 
its setting should 
be left at 
Automatic. 


Display Name; Service 
Name 


Security Accounts Manager; 
SamSs 


Server; lanmanserver 


Description and 
Security 
Recommendation 


Manages user 
name and 
password 
information for 
some applications, 
along with 
Protected Storage. 
Leave this service 
set to Automatic. 


Supports network 
file and printer 
sharing and RPC 
support. This 
service should 
usually be left set 
to Automatic. To 
prevent all 
incoming access to 
files on this system 
via file and printer 
sharing, remove 
the File And Printer 
Sharing For 
Microsoft Networks 
component from all 
network 
connections. 


Description and 


Display Name; Service Security 


Name Recommendation 
Shell Hardware Detection; Sends information 
ShellHWDetection about newly 


detected hardware 
to applications, and 
implements 
AutoPlay 
functionality. Keep 
it at the default 
setting of 
Automatic. 


Simple Mail Transfer Protocol Provides e-mail 

(SMTP); SMTPSVC message transport, 
as part of IIS. If 
you do not need 
this service (and 
most users do 
not), you should 
stop it in the 
Internet 
Information 
Services console 
and then set it to 
Manual or 
Disabled. (Besides 
being a security 
risk for your 
system, an 
incorrectly 
configured SMTP 
server can be 
hijacked by 
spammers. You 
might find your IP 


Display Name; Service 
Name 


Smart Card; SCardSvr 
Smart Card Helper; SCardDrv 


SSDP Discovery Service; 
SSDPSRV 


Description and 
Security 
Recommendation 


address, or even 
your entire IP 
address range, 
placed on several 
“known to send 
spam” lists, such 
as the Realtime 
Blackhole list at 
http://mail- 
abuse.org/rbl/. 
Many mail servers 
refuse to accept 
messages from any 
server on these 
lists, as they 
assume that the 
messages are 
spam.) 


Used to support 
smart card 
authentication 
hardware. If you 
don’t have a smart 
card that you use 
to log in to your 
system, you can 
keep these two 
services set to 
Manual. 


Provides a 
directory of 
Universal Plug and 


Display Name; Service 
Name 


Description and 
Security 
Recommendation 


Play (UPnP) 
devices that are 
available on the 
network. The 
Simple Service 
Discovery Protocol 
(SSDP) is part of 
UPnP support in 
Windows XP. In 
late 2001, a buffer 
overflow 
vulnerability was 
patched in this 
service (Microsoft 
Security Bulletin 
MS01-059). 
Because UPnP is 
sparsely used, you 
can usually set this 
service to Manual. 
However, ICF 
depends on UPnP 
to provide 
incoming 
connections to 
systems behind the 
firewall. If SSDP is 
disabled, you can't 
use Remote 
Desktop and 
Remote Assistance 
to access systems 
across the 
Internet. 


Display Name; Service 
Name 


System Event Notification; 
SENS 


System Restore Service; 
srservice 


Description and 
Security 
Recommendation 


Notifies system 
components and 
applications of 
events such as 
logon, screen saver 
start, or a switch 
to battery power. 
Keep this service 
set to Automatic. 


Maintains System 
Restore 
checkpoints. On 
most systems, you 
should keep this 
service set to 
Automatic. If you 
want to change 
System Restore 
behavior, open 
Control Panel, 
System and click 
the System Restore 
tab. If you turn off 
System Restore on 
all drives (which 
we don’t 
recommend), you 
could set this 
service to Manual. 


Display Name; Service 
Name 


Task Scheduler; Schedule 


TCP/IP NetBIOS Helper; 
LmHosts 


Telephony; TapiSrv 


Description and 
Security 
Recommendation 


Runs the programs 
in the Scheduled 
Tasks folder based 
on their schedules. 
Keep this service 
set to Automatic. 


Provides NetBIOS 
name management 
services in 
Windows 2000. 
(See Determining 
Which Ports Are 
Active.) 


Supports modem 
connections. If you 
do not use a 
modem, you can 
keep this service 
set to Manual. 
However, when 
used on a system 
with ICF or ICS 
running, that 
service will start 
the Telephony 
service. 


Display Name; Service 


Name 


Telnet; TintSvr 


Terminal Services; 
TermService 


Description and 
Security 
Recommendation 


Provides remote 
command-line 
access to the 
system. This 
service iS a 
security risk and 
should be set to 
Disabled. 


Supports all of 
Microsoft’s 
multiple-login and 
remote access 
technologies: 
Windows Terminal 
Services, Remote 
Desktop, Fast User 
Switching, and 
Remote Assistance. 
If you do not plan 
on using any 
remote access, 
disable all the 
features that 
depend on it and 
set this service to 
Manual. 


Display Name; Service 


Name 


Themes; Themes 


Description and 
Security 
Recommendation 


Provides support 
for the new look 
and feel in 
Windows XP. This 
service should be 
left at Automatic 
with one possible 
exception. If you 
have reverted to 
the Windows 
Classic look 
(Control Panel, 
Display, Themes) 
and do not intend 
to use any of the 
new user interface 
features in the 
future, you can set 
this service to 
Manual. (When you 
do this, the 
Windows XP theme 
no longer appears 
as an option.) 


Display Name; Service 
Name 


Uninterruptible Power Supply; 
UPS 


Description and 
Security 
Recommendation 


Supports the ability 
of an 
uninterruptible 
power supply 
(UPS) to notify the 
computer when 
power has gone 
out and the UPS 
battery is running 
low. This service is 
used only if you 
have a UPS, have 
connected the UPS 
to the computer 
via its USB or serial 
cable, and have 
configured the UPS 
Service via Control 
Panel, Power 
Options, UPS. In all 
situations, you can 
safely keep this 
service set to 
Manual. 


Display Name; Service 
Name 


Universal Plug and Play Device 
Host; upnphost 


Volume Shadow Copy; VSS 


Description and 
Security 
Recommendation 


Lets the computer 
perform UPnP 
announcements on 
behalf of 
noncomputer 
peripherals, such 
as a printer ora 
camera. The 
peripheral must 
provide the drivers 
and software to 
Support UPnP; in 
mid-2002 such 
devices are 
virtually 
nonexistent. It is 
probably safe to 
keep this service 
set to Manual until 
vendors start to 
use this feature. 


Manages the 
volume shadow, a 
feature of Windows 
XP that backup 
programs can use 
to take a snapshot 
and then back up 
volumes with open 
files. This service 
should be set to 
Manual. 


Display Name; Service 
Name 


WebClient; WebClient 


Windows Audio; AudioSrv 


Description and 
Security 
Recommendation 


Supports the Web- 
based Distributed 
Authoring and 
Versioning 
(WebDAV) 
extensions for 
HTTP. It isn’t likely 
that you use these, 
SO we recommend 
setting this service 
to Manual. 


Supports playing 
sounds. You should 
leave this service 
set to Automatic. 
You cannot stop 
the service from 
the Services 
console, which is a 
strong hint that it 
should always be 
running. 


Display Name; Service 
Name 


Windows Image Acquisition 
(WIA); stisvc 


Windows Installer; MSIServer 


Description and 
Security 
Recommendation 


Provides support 
for scanners and 
cameras; not 
required unless 
you have one of 
these peripherals. 
You can keep the 
service set to 
Manual, and 
Windows will start 
it if necessary. 


Supports 
installation, repair, 
and removal of 
applications that 
use Windows 
Installer (.msi) 
files. The service 
can be set to 
Manual, and 
Windows will start 
it when needed. 


Description and 
Security 
Recommendation 


Display Name; Service 
Name 


Windows Management Provides 

Instrumentation; winmgmt information about 
the system 
configuration to 
third-party 
applications and in 
some cases to 
Windows itself. 
This service, part 
of the plumbing of 
Windows, should 
remain set to 
Automatic. 


Windows Management Supplies an 

Instrumentation Driver interface to the 

Extensions; Wmi driver, if you have 
installed a driver 
that provides 
Windows 
Management 
Instrumentation 
(WMI) 
functionality. By 
default, this service 
is set to Manual, 
and you can keep 
it that way. 


Display Name; Service 
Name 


Windows Time; W32Time 


Wireless Zero Configuration; 
WZCSVC 


Description and 
Security 
Recommendation 


Provides time 
synchronization 
services. Settings 
for this service are 
housed in Control 
Panel, Date And 
Time, Internet 
Time. If you plan 
to set the time on 
a system manually, 
you can set this 
service to Manual. 
Otherwise, keep it 
set to Automatic. 


Supports automatic 
configuration of 
some brands of 
802.11a/b wireless 
LAN cards. The 
documentation for 
your LAN card 
should indicate 
whether it uses 
Wireless Zero 
Configuration. If it 
does not, or if you 
do not have a 
wireless LAN, set 
this service to 
Manual. 


Display Name; Service 
Name 


WMI Performance Adapter; 
WmiApSrv 


Workstation; 
lanmanworkstation 


World Wide Web Publishing; 
W3SVC 


Description and 
Security 
Recommendation 


Implements 
performance 
counters as part of 
Windows 
Management 
Instrumentation. 
Keep this service 
set to Manual. 


Makes network 
connections to 
other servers. Keep 
this service set to 
Automatic. 


Provides Web 
server service, as 
part of IIS. If you 
have installed IIS, 
you should 
probably have this 
service set to 
Automatic so that 
it will run on 
startup. Otherwise, 
you should 
uninstall IIS. 


“-Figure 17-8. Error reporting helps Microsoft 
determine the cause of errors, but you might 


consider it a security risk. 


Tightening Security on Internet 
Information Services 


Although neither Windows XP Professional nor 
Windows 2000 Professional is intended for high- 
performance server applications, Internet 
Information Services can do quite well for a light- 
duty intranet or as a testing server on these 
systems. (IIS isn’t supported on Windows XP 
Home Edition.) If you’re not careful, however, 
installing IIS on a system can open security 
holes. Several powerful services are installed by 
IIS, and if they are not configured or maintained 
properly, they offer outsiders a way to gain 
access to and/or control files on the system. 


To install IIS, go to Control Panel, Add Or Remove 
Programs, Add/Remove Windows Components, 
Internet Information Services. Click Details to 
select the components you want to install, as 
shown in Figure 17-9. In Windows 2000, the FTP 
and SMTP services are selected for installation by 
default. Whether you use Windows 2000 or 
Windows XP, however, if you do not need these 
services, the best security move is to clear the 
check boxes so they won’t be installed. If you're 
not sure whether you need the services, you can 
install them now and then disable them until you 
need them. 


“-Figure 17-9. When installing Internet 
Information Services, choose only the 
components you need. Few people need the 
FTP or SMTP service. 


Managing IIS Services 


With ITS installed, you will see an Internet 
Information Services item in Administrative Tools. 
(In Windows 2000, the item is named Internet 
Services Administrator, but it’s the same thing.) 
Figure 17-10 shows the Internet Information 
Services console, which also uses an MMC snap- 
in. 


“-Figure 17-10. If you've installed the FTP 
and SMTP services but don’t currently use 
them, stop them in the Internet Information 
Services console. 


Unless you specify otherwise during the 
installation process, the default IIS configuration 
installs and enables the Web, FTP, and SMTP 
services. In most cases, you will be managing the 
server content through local files or file shares, 
so you should disable the FTP service unless you 
are absolutely sure you need it. Your current 
network usually has an existing SMTP mail server, 
so you should also disable the SMTP server. 


Security-conscious Web administrators 
might discover an IP Address And 
Domain Name Restrictions box. 
(Right-click Web Sites, choose 
Properties, and then click the 
Directory Security tab.) With IIS 
running on Microsoft Windows 2000 
Server or Microsoft Windows .NET 
Server, this option lets you choose 
which remote systems can access the 
server. However, this option is 
unavailable through IIS running on 
Windows XP Professional 2000 or 


Windows 2000 Professional, and the 
corresponding Edit button is disabled. 


Running the IIS Lockdown Tool 


Given all the options that exist for configuring 
IIS, it can be confusing to determine which are 
required for your particular needs and which are 
optional and should be disabled. Fortunately, 
Microsoft has created a wizard that will walk you 
through the process of determining which 
features you need, disabling the features you 
don’t need and setting the security as tight as 
practically possible. You can read about the 
wizard (alternately called the Internet 
Information Services Lockdown Wizard and the 
IIS Lockdown tool) at 

http://www. microsoft.com/technet/security/tools 
/tools/locktool.asp, and you can download it from 


http://www. microsoft.com/Downloads/Release.as 
p?ReleaseID=33961. 


To use the Internet Information Services 
Lockdown Wizard, follow these steps: 


1. Run the executable file, 
lislockd.exe, from the folder where 
you downloaded it. 


2. Click Next on the introduction and 
license agreement pages. The 
Select Server Template page 
appears. 


3°*Select the template that most 
closely matches your use of IIS and 
then click Next. 


4. Select Install URLScan Filter On The 
Server and click Next. The URLScan 
feature protects the server from 
future URL-related exploits that 


might be uncovered. The Ready To 
Apply Settings page appears. 


5. Click Next, and the wizard 
applies appropriate settings, 
disables unneeded services, and so 
on. Click Next and then click Finish 
to close the wizard. 


A concise report of the actions taken by the 
wizard is saved as %SystemRoot%\System32\ 
Inetsrv\Oblt-rep.log. A more detailed log file is 
saved in the same folder as Oblt-log.log. 


Do not delete the log files. The 
Internet Information Services 


Lockdown Wizard uses the Oblt-log.log 
file to undo its changes if that 
becomes necessary. 


If you have problems accessing IIS after running 
the wizard, you can undo the changes it made. 
Just run the wizard again, and it offers to reverse 
all its modifications, as shown in Figure 17-11, 
giving you the opportunity to lock down IIS with 
a different set of options. This behavior is useful 
because you can select or clear specific options 
and see whether they are the source of the 
problem you are experiencing. 


“-Figure 17-11. If something doesn’t work 
right after you run the Internet Information 
Services Lockdown Wizard, you can undo its 
changes. 


Blocking Anonymous Access to IIS 


Most Web servers on the Internet are set up for 
anonymous access, but that usually isn’t the first 
choice for a Web server running on your own 
system. If you’re the only person planning to use 
the server, you should disable anonymous access. 
You don’t incur the inconvenience of entering 
passwords, because when you go to your local 
Web site (using http://localhost) Internet 
Explorer automatically logs you in using your 
current user name and password. 


To disable anonymous access in IIS, open the 
Internet Information Services console. Right-click 
Default Web Site and choose Properties. On the 
Directory Security tab, click Edit in the 
Anonymous Access And Authentication Control 
box. In the Authentication Methods dialog box, 
shown in Figure 17-12, clear the Anonymous 
Access check box. 


“-Figure 17-12. For the best security, 
disable anonymous access to your IIS server 
and do not enable Basic Authentication. 


Integrated Windows Authentication was 
previously named NT Challenge Response, and 
the old name provides a clue to how it works. 
Instead of a client sending an actual password 
over the network, the server sends the client a 
“challenge phrase” consisting of some bytes of 
data. The server sends a different challenge 
phrase each time, but the actual content isn’t 
important. The client takes the challenge phrase, 
modifies it using the password as a key, and then 
sends the modified challenge phrase back to the 
server as the response. Meanwhile, the server 
has performed the same calculation on its end, 


using the password that it expects from the 
client. If the response sent by the client matches 
the server’s calculated value, the two must have 
used the same password to perform the 
calculation, and permission is granted. 


Basic Authentication takes the direct and insecure 
approach. The user name and password are sent 
across the network essentially in plain-text form. 
Anyone with network monitoring software can 
pick up this information and use it at any time to 
log in to the server. An attacker can obtain this 
information in several other ways, even without 
network monitoring. For example, a proxy server 
could cache this information and it could be 
retrieved if the security of the proxy was 
compromised. 


Since Basic Authentication is so insecure, you 
should avoid turning it on for your server. 
However, you might encounter situations in which 
you can’t avoid it. Only Internet Explorer 
supports Integrated Windows Authentication. If 
you turn off anonymous access to the Web site 
and don’t turn on Basic Authentication, users with 
browsers other than Internet Explorer will receive 
the error message “HTTP 401.2 - Unauthorized: 
Logon failed due to server configuration” when 
they go to your site. (This is confusing but 
technically correct; the server configuration issue 
is the lack of Basic Authentication.) 


Use Internet Explorer’s automatic 
logon feature 


If you frequently access an IIS Web 
server on another system on your 
local network, you can avoid 
constantly typing your user name and 
password, even when you’ve disabled 


anonymous access in IIS. On the 
system running IIS, create a user with 
the same user name and password as 
the one you'll be using on the remote 
system. With its standard default 
settings, Internet Explorer will then 
automatically log on using your 
current user name and password, no 
prompting required. If you still receive 
prompts in Internet Explorer, select 
Tools, Internet Options, Security and 
select the Local Intranet zone. Click 
the Sites button and select the Include 
All Local (Intranet) Sites Not Listed In 
Other Zones check box. Click OK, and 
then click the Custom Level button 
and scroll to the bottom of the list. 
Under User Authentication, select 
Automatic Log on Only In Intranet 
Zone. 


Using Server Logs 


IIS maintains log files that you can use to ensure 
that no unauthorized access to the server is being 
made. Each access to the server for any type of 
file creates an entry in the log file. Failed 
accesses, such as pages that are not found or 
requests by users who are not authorized to 
access the server, are logged as well. One user 
loading a single Web page can create dozens of 
entries in the log if the page contains images that 
are also hosted on the server. 


To enable logging, open the Internet Information 
Services console, right-click Default Web Site, 
and choose Properties. On the Web Site tab, 
select Enable Logging. To configure logging 
options, click Properties to display the dialog box 
shown in Figure 17-13. 


“-Figure 17-13. Enable IIS access logs to 
ensure that no unauthorized users are using 
the server. 


For small and lightly loaded Web servers, you 
might be able to simply review the file with 
Notepad to see whether any suspicious activity 
has occurred, as shown in Figure 17-14. You can 
also import the file into Excel using the process 
described for ICF log files. (See Examining 
Internet Connection Firewall Logs.) Neither of 
these approaches is practical for a busier Web 
server; even one that gets a few thousand 
accesses a day would be very difficult to analyze 
this way. Instead, you might want to use a log 
analysis program. These programs read in the log 
files for a period of time (day, week, month, or 
longer) and summarize the accesses by user, 
page name, directory, or other groupings. You 


can find a large list of commercial and free log 
analyzers at 
http://directory.google.com/Top/Computers/Soft 
ware/Internet/Site_ Management/Log_Analysis/. 
“-Figure 17-14. You can view the IIS log file 
with Notepad, import it into Excel for further 
analysis, or use a log file analysis program. 


Keeping Up with IIS Security Patches 


A poorly maintained Web or FTP server is a 
disaster waiting to happen. New exploits are 
constantly being discovered and patched, but 
your server is protected only if you apply the 
patches. After you've installed IIS, Windows 
Update should automatically notify you of new 
IIS patches and fixes if you have enabled 
AutoUpdate. Still, it is a good idea to occasionally 
run the Microsoft Baseline Security Analyzer or 
Security Hotfix Checker (HFNetChk). For details 
about these programs, see Testing and Verifying 
Your Secure Status. 


Chapter 18 


Encrypting Files and Folders 


Throughout this book, we explain various 
methods for keeping snoops away from your 
data: password-protected user -accounts, 
restrictive NTFS permissions, prudent network 
sharing, firewalls, and so on. But what if, despite 
your best efforts, your files fall into the wrong 
hands? This is certainly a risk if you travel with a 
portable computer—a popular target for thieves. 
But even offices and homes in low-crime 
neighborhoods are sometimes burglarized, 
putting your desktop computers at risk. A 
stealthier thief—perhaps a coworker or someone 
who manages to penetrate your computer’s 
defenses through the Internet—can also make off 
with your files. 


Nearly every computer, whether it’s in a business 
or a home, contains some sensitive data that 
must never be available outside your most 
trusted circle (or, in some cases, to anyone else 
at all). In addition to financial data—such as your 
accounting records or personal finance files—your 
computer might be the repository for marketing 
plans, trade secrets, medical history, diaries, 
address books, and similar information. If 
someone can obtain a file by downloading it from 
your computer or by borrowing (or stealing) your 
portable computer, they know your secrets. 


In this chapter, we discuss the Encrypting File 
System (EFS), a feature of Microsoft Windows XP 
Professional and Windows 2000 that can prevent 
the loss of such confidential data. EFS encodes 
your files so that even if thieves are able to 
obtain a file, they can’t read it. The files are 
readable only when you log on to the computer 


with your user account (which, presumably, you 
have protected with a strong password). In fact, 
even someone else logging on to your computer 
won't have access to your encrypted files, which 
provides protection on systems that are shared 

by more than one user. 


EFS is not available on computers 
running Windows XP Home Edition. 


Security Checklist: Encrypting 
Data 


Once you set up EFS, it works silently 
in the background, requiring no 
further attention. If you don’t 
implement EFS correctly, however, you 
can undermine your security efforts. 
For example, your editing program can 
leave unencrypted temporary files on 
your drive. To adequately protect your 
data and, more important, to avoid 
permanently and irrevocably locking 
yourself out of your own folders, be 
sure to observe these guidelines: 


e If you use Windows 
2000, install Service 
Pack 2 or the High 
Encryption Pack to 
enable 128-bit 
encryption. 


e Encrypt a file or folder to 
create a personal 
encryption certificate. 


e Export the personal 
encryption certificate for 


each account. 


If you use Windows XP, 
be sure you have a 
Password Reset Disk. 
Also consider creating 
and designating a data 
recovery agent. 


Export and protect the 
private keys for recovery 
accounts, and then 
remove them from the 
computer. This prevents 
someone from accessing 
your files using the data 
recovery agent account. 


Encrypt the My 
Documents folder and 
any other local folder 
you use for storing 
documents. 


Always encrypt folders, 
not files. When a folder 
is encrypted, all files 
created in that folder are 
encrypted. (Many 
programs save a new 
copy of the document 
you are editing. This 
copy will be encrypted if 
you encrypt the folder, 
but it will be not be 
encrypted if you encrypt 
only the original file.) 


Don’t destroy file 
recovery certificates and 


private keys when you 
change data recovery 
agent policies. Keep 
them until you are sure 
that all the files they 
protect have been 
updated. 


e Configure a policy so 
that the page file is 
cleared when you shut 
down your computer. 
Otherwise, data from 
files that were decrypted 
during a working session 
might remain in the 
page file, which a thief 
could peruse. (For 
details, see Exploring 
Security Options). 


e Disable hibernation (a 
power-saving option you 
configure in Control 
Panel, Power Options). If 
your system goes into 
hibernation while 
encrypted files are open 
(and therefore 
decrypted), the data is 
accessible to a thief who 
views the Hiberfil.sys 
file. 


EFS in Windows XP Professional offers 
several features that are not available 
in Windows 2000, the first version of 
Windows to include EFS support. We 


note these additional features 
throughout this chapter, but here’s a 
preview of the significant differences 
in Windows XP: 


e You can share your 
encrypted files with 
other users you 
designate. 


e You can store encrypted 
files in a shared Web 
folder on a remote 
computer. 


e You can encrypt offline 
files. 


e Names of encrypted files 
and folders are displayed 
in green in Windows 
Explorer. 


e Stronger encryption 
algorithms are available. 


e No default data recovery 
agent is required. 


e Local administrators 
can’t gain access to your 
encrypted files by 
changing your password. 


Installing Strong Encryption in 
Windows 2000 


Before you begin relying on EFS to 

protect your data, you should ensure 
that your copy of Windows 2000 uses 
strong encryption. (Strong encryption 


refers to cryptographic operations that 
use keys of 128 bits or more.) 


All versions of Windows XP have built- 
in support for strong encryption. 
However, the original Windows 2000 
Professional CD includes only 56-bit 
encryption—the maximum allowed for 
export from the United States at the 
time Windows 2000 was completed. In 
January 2000—only a few weeks 
before the retail release of Windows 
2000—the U.S. government issued 
new export regulations allowing 
companies to ship strong encryption 
products to almost all countries. 


If you haven’t already done so, you 
should upgrade to 128-bit encryption, 
which provides strong encryption for 
encrypted files on NTFS volumes; for 
secure network connections, such as 
those using Internet Protocol Security 
(IPSec); and for all other encryption- 
based services. (To find out whether 
strong encryption is installed on your 
computer, search for a file named 
Rsaenh.dll; the file exists in 
%SystemRoot%\System32 only if 
strong encryption has been installed. ) 
You can upgrade to strong encryption 
in any of these ways: 


e Install Service Pack 2 (or 
later) for Windows 2000. 
We recommend this 
method because SP2 
also includes a large 
number of security 


patches, bug fixes, and 
enhancements. 


Install from the High 
Encryption Floppy Disk 
included in the Windows 
2000 Professional retail 
package. Run 
Encpack.exe from the 
floppy disk. 


Download and then 
install the High 
Encryption Pack from 
http://www. microsoft.co 
m/windows2000/downlo 
ads/recommended/encry 


ption. 


Using the Encrypting File 
System 


The Encrypting File System allows you to encrypt 
files on an NTFS volume so that only you can use 
them. This offers a level of protection beyond 
that provided by NTFS permissions, which you 
can use to restrict access to your files by others 
who log on to your computer. NTFS permissions 
are vulnerable for a couple of reasons. First, all 
users with administrative privileges can grant 
themselves (or others) permission to access your 
files. What’s worse, anyone who gains physical 
access to your computer can boot from a floppy 
disk (or from another operating system, if your 
computer is set up for dual booting) and use a 
utility such as NTFSDOS (available from 
Sysinternals, http://www.sysinternals.com) to 
read the files on your hard disk—without having 
to provide a user name or password. Portable 
computers, which are more easily stolen, are 
especially vulnerable to this type of information 
loss. 


Require a startup password on 
portable computers 


On most computers, you can use BIOS 
settings to construct another obstacle 
for anyone who steals your computer. 
Set your BIOS so that a password is 
required to start the computer or to 
enter the BIOS setup program, and 
set the boot options so that the 
computer can’t be booted from a 
floppy disk or CD. Unfortunately, this 
type of protection can also be 
circumvented. For example, removing 


the hard disk and installing it in 
another computer makes its files 
available to someone with the proper 
tools. 


A much more effective method is to 
remove the Syskey startup key from 
the computer. To start the computer, 
you'll then need to enter a password 
(or insert a floppy disk that contains 
the startup key, depending on how 
you set up Syskey protection) before 
you can log on. For details about 
configuring this protection, see Adding 
Another Layer of Protection with 
syskey. 


EFS provides a secure way to store your sensitive 
data. Windows creates a randomly generated file 
encryption key (FEK) and then transparently 
encrypts the data using this FEK as data is 
written to disk. Windows then encrypts the FEK 
using your public key. (Windows creates a 
personal encryption certificate with a 
public/private key pair for you the first time you 
use EFS.) The FEK is a symmetric key (that is, 
the same key is used for encrypting and 
decrypting data), which is orders of magnitude 
faster than public key encryption. The FEK, and 
therefore the data it protects, can be decrypted 
only with your certificate and its associated 
private key, which are available only when you 
log on with your user name and password. 
(Designated data recovery agents can also 
decrypt your data. For information about data 
recovery agents, see Recovering Encrypted 
Data.) Other individuals who attempt to use your 
encrypted files receive an “access denied” 
message. Even administrators and others who 


have permission to take ownership of files are 
unable to open your encrypted files. 


You can encrypt individual files, folders, or entire 
drives. We recommend that you encrypt folders 
instead of individual files. If you have hard disk 
volumes that contain only data (that is, drives 
other than the system drive and boot drive), 
consider encrypting the entire drive. When you 
encrypt a folder or drive, the existing files it 
contains are encrypted, and new files that you 
create in the folder or drive are encrypted 
automatically, as are temporary files that your 
applications create in the folder or drive. (For 
example, Microsoft Word creates a copy of a 
document in the folder where it’s stored when 
you open the document for editing. If the 
document’s folder isn’t encrypted, the temporary 
copy isn’t encrypted—giving prying eyes a 
potential opportunity to view your data.) For this 
reason, you should also consider encrypting your 
%Temp% and %Tmp% folders, which many 
applications use to store temporary copies of 
documents that are open for editing. (Note, 
however, that doing so might slow your system 
considerably, and it might prevent some 
installation programs from running properly. ) 


Before You Begin: Learn the Dangers of 
EFS 


EFS provides secure encryption of your most 
important information. The encryption is so 
secure that if you lose the key that allows you to 
decrypt your data, the information is effectively 
lost. By default, Windows provides no “back door 
if your private key is lost, nor is there any 
practical way to hack these files. (If there were, it 
wouldn’t be very good encryption.) 


n" 


You can innocently lose your key in a number of 
ways. Suppose, for example, that you have 
stored your data in encrypted folders on a second 
volume (such as drive D). You notice that your 
computer is running sluggishly and its hard disk 
is overflowing with junk files—so you decide to 
reinstall Windows from scratch. Not worrying 
about your files on another partition, you format 
drive C and reinstall Windows. Although it’s not 
apparent, reinstalling Windows creates new 
security identifiers (SIDs) for each user, even if 
you do everything exactly the same way as the 
last time you ran Setup. As a result, each user’s 
encryption certificates are also different from the 
ones they replaced, and they can’t be used to 
access the encrypted data stored on drive D. 
Even the Administrator account—which also has a 
new SID—can’t decrypt the files from a different 
Windows installation. 


Fortunately, with a little care, you can prevent 
these drastic scenarios. To learn about EFS and 
then begin safely using it for your important files, 
we recommend that you follow this approach: 


1. Create an empty folder and encrypt 
it. (For details, see the next 


section, “Encrypting Your Data.”) 


2. Create a nonessential file in the 
encrypted folder (or copy a file to 
the folder)—and check to see that 
you can use it just as you would 
any ordinary file. 


3. If your computer is not part of a 
domain, create a data recovery 
agent, a second user account that 
can be used to decrypt files should 
your personal encryption certificate 
become lost or corrupt. (For details, 
see Creating_a Data Recovery 
Agent. ) 


4. Back up your file recovery 
certificate and your personal 
encryption certificate along with 
their associated private keys. (For 
details, see Backing Up Your 
Certificates. ) 


5. Note that you won’t have a 
certificate to back up until you have 
encrypted at least one folder or file. 
A new Windows installation doesn’t 
have encryption certificates; one is 
created the first time a user 
encrypts a folder or file. 


6. Begin using EFS for your important 
confidential files. 


In summary: If you encrypt files on a computer 
that is not joined to a domain, be sure to set up a 
data recovery agent. Back up both your personal 
certificate and the data recovery agent’s file 
recovery certificate. 


Encrypting Your Data 


You'll want to encrypt any folders that contain 
confidential files. The most likely container for 
such files is your My Documents folder, although 
you might have documents stored in other 
folders, too. 


To encrypt a folder, follow these steps: 


1. Right-click the folder, choose 
Properties, click the General tab, 
and then click the Advanced button. 
(If the properties dialog box doesn’t 
have an Advanced button, the 
folder is not on an NTFS-formatted 
volume and you can’t use EFS.) 


2°"Select Encrypt Contents To 
Secure Data. 


3. Click OK twice. If the folder 
contains any files or subfolders, 
Windows displays a confirmation 
message: 


‘If you select Apply Changes To 
This Folder Only in the confirmation 
dialog box, Windows doesn’t encrypt 
any of the files currently stored in the 


folder. But any new files that you 
create in the folder, including files that 
you copy or move to the folder, will be 


To encrypt one or more files, follow the same 
procedure. You'll see a different confirmation 
message, shown in Figure 18-1, reminding you 
that the file’s folder is not encrypted and giving 
you an opportunity to encrypt it. It’s generally 


better not to encrypt individual files because the 
information you intend to protect can too easily 
become decrypted without your knowledge. For 
example, with some applications that create a 
copy of a document you have open for editing, 
the application saves the copy—which is not 
encrypted—and deletes the original, encrypted 
document. Static files that you use for reference 
only—but that you never edit—can safely be 
encrypted without encrypting the parent folder. 
Even in that situation, however, you'll probably 
find it simpler to encrypt the whole folder. 


“-Figure 18-1. If you encrypt individual files, 
Windows prods you to encrypt the parent 
folder as well. 


Some files can’t be encrypted. For 
example, you can’t encrypt any files 
that have the System attribute. Those 
files are usually system files, and the 
system might be rendered unusable if 
some of its essential files were 
encrypted. For the same reason, you 
can’t encrypt any files in the 


%SystemRoot% folder or any of its 
subfolders. Files in roaming user 
profiles also can’t be encrypted. And 
files can’t be both compressed and 
encrypted; if you encrypt a 
compressed file, Windows 
uncompresses it. 


Troubleshooting 
Windows reports an “error 
applying attributes.” 


If you see a message box similar to 
the one shown here when you attempt 
to encrypt a file, EFS has been 


disabled on your computer. (The text 
of the message can vary, depending 
on whether encryption is disabled for 
a particular folder or for the 
computer.) Although the four buttons 
might lead you to believe that you 
have a choice in the matter, you don’t. 
Regardless of which button you click, 
Windows refuses to encrypt your files 
—just as if you had clicked Cancel. 


“TO solve this problem, you need to 
enable the Encrypting File System. For 
instructions, see Disabling _or 
Reenabling_ EFS. 


Add encryption commands to 
shortcut menus 


If you frequently encrypt and decrypt 
files and folders (for most users, it’s a 
one-time “set it and forget it” 
operation), you'll find that it’s rather 
tedious to right-click, choose 
Properties, click Advanced, select or 
clear a check box, and click OK twice 
every time you want to change 
encryption status. If you’re 
comfortable using a command-line 
interface, you can use the Cipher 
command to perform these tasks. (For 
details, see Using the Cipher 
Command.) But if you’d prefer to work 
with Windows Explorer, you can use 
an easier way: Add encryption 
commands to the shortcut menu that 
appears when you right-click a folder 
or file. 


To do that, follow these steps: 


1. Use Registry Editor to 
open the 
HKLM\Software\Microsof 
t\Windows\ 
CurrentVersion\Explorer\ 
Advanced key. 


2. Open the Edit menu, and 
choose New, DWORD 
Value. 


3. Name the new value 
EncryptionContextMenu. 


4. Double-click the 
EncryptionContextMenu 
value and set its data to 
de. 


This change takes effect the next time 
you start Windows Explorer. When you 
right-click a folder or file that’s not 
encrypted, the shortcut menu includes 
an Encrypt command; a Decrypt 
command appears if the target is 
already encrypted. 


Encrypting Offline Files 


The offline files feature, introduced with Windows 
2000, allows you to cache a copy of files from a 
network share on your local computer. This 
capability is particularly useful for a mobile 
computer because it allows you to continue 
working with your files even when your computer 
is not connected to the network. (When you 
reconnect to the network, Windows synchronizes 
the local and network versions of each file.) As 
we point out, however, mobile computers are the 


ones most vulnerable to theft, so it would be 
terrific to be able to encrypt the local versions of 
your Offline files. With Windows XP (but not 
Windows 2000), you can. 


To encrypt your offline files, do the following: 


1. In Windows Explorer, choose Tools, 
Folder Options. 


2. On the Offline Files tab, shown in 
Figure 18-2, select both Enable 
Offline Files and Encrypt Offline 
Files To Secure Data. 


“-Figure 18-2. When you 
select this option, the local 
copy of your offline files is 
always encrypted, regardless of 
the files’ setting in the network 
folder. 


Using the Cipher Command 


Cipher.exe provides a command-line alternative 
for encrypting and decrypting folders and files. To 
encrypt or decrypt a folder or file, include the 
path and the appropriate switches. Use the /E 
switch to encrypt the folders or files you specify 
or the /D switch to decrypt them. For example, to 
encrypt the My Documents folder, including its 
files and subfolders, type cipher /e /a 
/s:"%ouserprofile%\my documents” at a 
command prompt. 


In the file specification, you can use wildcards. 
You can also specify multiple folders and files in a 
single instance of the command; simply separate 
each name with a space. Table 18-1 shows 
Cipher’s command-line switches for basic 
encryption and decryption operations. Cipher can 


also generate file encryption keys for users, 
create file recovery certificates, wipe unused data 
areas, and perform other tasks. For a complete 
list, type cipher /? at a command prompt. 


Table 18-1. Common Command-Line Switches 
for Cipher.exe 


Switch Description 


/E Encrypts the specified folders 
/D Decrypts the specified folders 


/S:folder Performs the operation on folder 
and its subfolders (but not on 
files) 


/A Performs the operation on 
specified files and files in specified 
folders 


Using Encrypted Data 


You'll notice no significant difference in working 
with encrypted folders or files if you’re logged on 
with the same account you used when you 
encrypted them. In fact, you might forget that 
you're using encrypted files. 


Identifying encrypted files 


Because EFS works transparently, 
knowing which folders and files are 
encrypted requires a close look. The 
process of right-clicking each file and 
then choosing Properties, General, 
Advanced (followed by Cancel, Cancel) 
is tedious. Fortunately, you can 
determine whether a folder or file is 
encrypted in any of these additional, 
and easier, ways: 


e In Windows XP (but not 
Windows 2000), you can 
tell at a glance: By 
default, Windows 
Explorer displays the 
names of encrypted 
objects in green. (If 
they’re not green, you 
need to set an option. In 
Windows Explorer, 
choose Tools, Folder 
Options. On the View 
tab, select Show 
Encrypted Or 
Compressed NTFS Files 
In Color. Windows 


Explorer uses blue for 
compressed files. ) 


e In Windows Explorer, 
use Details view. Choose 
View, Choose Details, 
and then select 
Attributes. Encrypted 
files show the letter E in 
the Attributes column. 


e In a Command Prompt 
window, type cipher 
with no parameters to 
display the encryption 
state of the current 
folder and its files. 
Cipher precedes the 
name of each encrypted 
file with an E; a U (for 
unencrypted) identifies 
other files. To display 
only specific files (or 
files in another folder), 
append a file 
specification (including 
wildcards if you like) to 
the Cipher command 
line. 


e To list all encrypted files 
on all local drives, type 
cipher /u /nina 
Command Prompt 
window. 


Encrypted files differ from unencrypted files in 
several subtle but important ways: 


When you are logged on with an account 
different from the one you used when you 
encrypted a file... If you try to open an 
encrypted file, you get an “access denied” 
message. Likewise, if you try to decrypt an 
encrypted file by clearing the encryption 
attribute, you get an “access denied” message. 
However, if you have Modify or Full Control 
permission, you can delete or rename an 
encrypted file. 


When you copy or move an unencrypted file 
to an encrypted folder... The copy you add to 
the encrypted folder becomes encrypted. 


You can override the default automatic 
encryption behavior by configuring a 
policy. In Group Policy (Gpedit.msc), 
open Computer 


Configuration\Administrative 
Templates\System. Double-click Do 
Not Automatically Encrypt Files Moved 
To Encrypted Folders and select 
Enabled. 


When you copy an encrypted file... If you 
copy an encrypted file to an NTFS volume on your 
computer or another computer running Windows 
XP or Windows 2000, it remains encrypted. (If 
EFS is disabled on the target computer, Windows 
refuses to copy the file, instead displaying a red- 
herring “access denied” message.) If you copy an 
encrypted file to a FAT volume (including floppy 
disks) or to an NTFS volume on a computer that 
is running Windows NT, the file becomes 
decrypted. 


When you move an encrypted file... If you 
move an encrypted file to another folder on the 
same volume, the file remains encrypted. Moving 
the file to another volume is essentially a “copy 


and then delete” process; moving your own 
encrypted files is handled the same way as the 
copy operation just described. If you move 
someone else’s encrypted file to a FAT volume, 
you get an “access denied” message. 


When you rename an encrypted file... The file 
is renamed and it remains encrypted. 


When you delete an encrypted file... The 
restorable file (if you delete to the Recycle Bin) 
remains encrypted. 


When you back up an encrypted file using 
Windows Backup... You’ve picked the best way 
to back up encrypted files or move them between 
systems! The files in the backup media remain 
encrypted, whether they’re on disk or tape. 
(Because most removable media can’t be 
formatted as NTFS, an ordinary copy becomes 
decrypted.) 


When you use encrypted files on a different 
computer... Your personal encryption certificate 
and its private key must be available on the 
computer. You can copy the keys manually. For 
details, see Backing Up Your Certificates. If you 
use roaming profiles, your encryption keys are 
automatically available on all computers you log 
on to with that user account. 


Other users with permission to delete 
a file (that is, users with Modify or Full 
Control permission) can’t use your 
encrypted files—but they can make 
them difficult for you to use. Any such 
user can rename your files, which can 
make them difficult to find, and also 
can delete your files. (Even if the user 
merely deletes them to the Recycle 
Bin and doesn’t remove them 


altogether, the deleted files are 
unavailable to you because you don’t 
have access to any other user’s 
Recycle Bin.) Therefore, if you're 
concerned about protecting your files 
from other authorized users as well as 
from a thief who steals your computer, 
you should modify the NTFS 
permissions to prevent any type of 
modification by other users. For more 
information, see Sharing Documents 
Securely on a Multiuser Computer. 


Like the encryption process, decryption is done 
transparently. That is, you work with your 
encrypted files exactly the same way you work 
with unencrypted files. When Windows detects 
that a file you’re accessing is encrypted, it finds 
your certificate and uses its private key to 
decrypt the data as it is read from the disk. 


To permanently decrypt a folder or file, clear the 
Encrypt Contents To Secure Data check box in the 
Advanced Attributes dialog box. If you decrypt a 
folder, Windows asks whether you want to 
decrypt only the folder or the folder and its 
contents. If you choose the latter option, 
Windows prohibits you from decrypting any files 
for which you don’t hold a valid encryption 
certificate. If you change the attribute for a file 
that you encrypted, Windows decrypts it without 
further ado. If you attempt to decrypt a file that 
someone else encrypted, you get an “access 
denied” message. 


Sharing Your Encrypted Files with 
Other Users 


A new feature in Windows XP allows you to share 
access to your encrypted files with one or more 
trusted users. The users you specify might share 
the computer with you or have access to the 
encrypted files over the network. 


The only prerequisite for sharing access to an 
encrypted file is that each user with whom you 
want to share the file must have an encryption 
certificate on your computer. The easiest way for 
a user who shares your computer to create a 
certificate is for that user to log on and encrypt a 
file. Network users should export their own 
Certificate); you can then import the certificate to 
your computer. 


Checking for encryption 
certificates 


To find out whether another user 
already has an encryption certificate 
on your computer, use the Certificates 
snap-in for Microsoft Management 
Console. (For details, see Using the 
Certificates Snap-In.) Self-signed 
certificates, whether created on your 
computer or imported to your 
computer, appear in the Trusted 
People\Certificates folder. Certificates 
issued by a certification authority (CA) 
appear in the Other People\Certificates 
folder. (Note that EFS will not use 
certificates issued by an untrusted 
CA.) If Encrypting File System appears 
in the Intended Purposes column—you 
might need to enlarge the window or 
scroll to the right to see the column— 
you can share your encrypted files 
with this person. 
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To enable another user to use one of your 
encrypted files, follow these steps: 


1. Right-click an encrypted file and 
choose Properties. On the General 
tab, click Advanced. 


2. In the Advanced Attributes dialog 
box, click Details. 


The Details button is 
unavailable when you 
initially encrypt a file. To 
use this button, you 
must encrypt the file 
and then return to the 
Advanced Attributes 
dialog box. Note also 
that the Details button is 
available only when you 
display properties for a 
single file; if you select a 
folder or multiple files, 
the button is 
unavailable. 


3. In the Encryption Details dialog 
box, click Add. The Select User 
dialog box appears, as shown in 
Figure 18-3. 


“-Figure 18-3. You can provide 
access to any account that has 
an Encrypting File System 
certificate on your computer. 


4. Select the name of the user to 
whom you want to give access, and 
then click OK. 


The users specified in the Encryption Details 
dialog box now have access to the encrypted file. 
Of course, they'll also need sufficient NTFS 
permissions to use the file and, if the file is ina 
shared network folder, permissions to access the 
network share. 


Grant EFS access only to users you 
trust. Users who are granted access 
permissions also can share files with 
other users of their choosing. The only 


way you can prevent such sharing is 
to remove the user’s Write permission 
for the file—but that might prevent 
the type of access you need. 


Accessing Encrypted Data on Remote 
Shares 


You can use your encrypted files (or ones to 
which you've been granted access, as described 
in the previous section) when they’re stored on 
another computer in your network. This, of 
course, makes it feasible for multiple users to 
access encrypted files, but it has other 
advantages as well; in particular, storing your 
network’s important documents on a single 
server can simplify backup of these essential 
files. You can encrypt and decrypt files that are 
stored on a network share or, if you’re using 
Windows XP, in a Web Distributed Authoring and 
Versioning (WebDAV) Web folder. 


Using files stored on a network share requires a 
Microsoft Windows 2000 Server or Microsoft 
Windows .NET Server domain environment, which 
places this topic beyond the scope of this book. 
Don’t feel shortchanged, however; despite the 
otherwise superior security imposed by such 


domains, remote access to encrypted files on a 
network share is less secure than using Web 
folders. When files are stored on a network 
share, the encryption and decryption are 
performed on the computer where the files are 
stored, and the files are transmitted between 
computers in unencrypted form. When a file is 
stored in a Web folder, the file remains encrypted 
during transmission; all encryption and 
decryption take place at the user’s computer. 


Securely share your files over the 
Internet 


Storing an encrypted file in a 
document folder at MSN Groups 
(http://groups.msn.com) provides the 
same security as storing in a local Web 


folder. You can share your documents 
with others (or retrieve them yourself 
from another location), and your 
encrypted documents remain 
encrypted when they’re transferred 
across the Internet. 


In addition, the use of Web folders for remotely 
accessing encrypted files is easier to set up and 
administer. And, if the Web folder is available 
over the Internet, you can securely access your 
encrypted files from anywhere in the world with 
an ordinary Internet connection. 


You can set up a Web folder on a server that is 
running Internet Information Services (IIS) 5 or 
later. (Windows 2000 includes IIS 5.0; Windows 
XP Professional includes IIS 5.1.) To set up a Web 
folder, follow these steps: 


1. Install IIS if you haven't already 
done so. (For information about 


installing and securing IIS, see 
Tightening Security on Internet 
Information Services. ) 


2. Right-click the folder you want to 
share as a Web folder and choose 
Properties. 


3. On the Web Sharing tab, select 
Share This Folder. The Edit Alias 
dialog box appears: 


4°°Specify an alias (the name by 
which users will access the folder). 
Select the Read, Write, and 
Directory Browsing permissions. 
Select None in the Application 
Permissions box. Click OK in each 
dialog box. 


Users can then access the Web folder in much the 
same way as they’d use a local folder. Its URL is 
http://servername/alias, where servername is 
the name of the server and alias is the alias you 
assigned in step 4 of the preceding procedure. 


Recovering Encrypted Data 


The security policy for a computer or a domain 
can include a data recovery policy. (In Windows 
2000, a data recovery policy is required.) This 
policy designates one or more users as data 
recovery agents; these users can decrypt 
encrypted files even if the personal encryption 
certificate used to encrypt the file is no longer 
available. This capability makes it possible to 
recover encrypted files after an employee leaves 
a company, for example. 


If your computer is running Windows 2000 and is 
not part of a Windows domain, the local 
Administrator account is the default data 
recovery agent. In Windows XP, stand-alone 
computers have no default data recovery agent; 
you should create one. (For details, see Creating 
a Data Recovery Agent.) In a domain 
environment, the default data recovery agent is 
the Administrator account for the domain. 


If your computer is a member of a domain, the 
domain administrator can designate additional 
users as data recovery agents. Using the 
domain’s Enterprise Certificate Authority, the 
domain administrator creates file recovery 
certificates for these users and adds them to 
Public Key Policies\Encrypted Data Recovery 
Agents in Local Security Settings or, more likely, 
in the domain security policy. 


Whether your computer is a domain member or 
in a workgroup, running Windows XP or Windows 
2000, best practices suggest not storing the 
private key associated with the data recovery 
agent’s file recovery certificate on the computer. 
(If it’s stored on the computer, the data recovery 


agent has access to all users’ encrypted files, a 
situation that removes the privacy protection that 
EFS is designed to provide.) To restore the data 
recovery agent’s file recovery certificate or 
private key when it’s needed, take these steps: 


1. Log on as Administrator. 


2. Use the Certificates dialog box to 
import the file recovery certificate. 
The procedure is the same as that 
used to import a personal 
encryption certificate; for details, 
see Importing _a Personal 
Encryption Certificate. 


If you need to recover encrypted files, it might be 
useful to know who encrypted the files in the first 
place. With Windows alone, you have no easy 
way to find out. However, you can use a tool 
named Efsinfo.exe to show who encrypted each 
file and who has permission to decrypt it, 
including any data recovery agents. If you have a 
Windows XP Professional CD, you can install 
Efsinfo (along with a number of other useful 
tools) by running \Support\Tools\Setup on the 
CD. Efsinfo is also available as a free download 
from Microsoft; browse to 

http://www. microsoft.com/windows2000/techinfo 
/reskit/tools/existing/efsinfo-o.asp. (If you prefer 
to type a shorter URL and don’t mind clicking a 


few links, go to http://www.reskits.com and look 
for free tools in the Windows 2000 Resource Kit. ) 


Microsoft Knowledge Base article 


Q243026 has more information about 
Efsinfo. 


A utility called EFSDump, from the good people at 
Sysinternals, is available at 

http://www. sysinternals.com/ntw2k/source/misc. 
shtml. Like Efsinfo.exe, EFSDump shows who 
encrypted a file and who has access to it. 


Disabling or Reenabling EFS 


If you want to prevent users from encrypting files 
on a particular machine, you can disable EFS. If 
your computer is part of a domain, domain-level 
policies determine whether EFS can be used on a 
workstation. For stand-alone computers and 
computers that are part of a workgroup, the 
following sections explain how to control the 
availability of EFS. 


Disabling or Reenabling EFS in 
Windows XP 


To disable EFS on a computer running Windows 
XP Professional that is not part of a domain, 
follow these steps: 


1. Open Registry Editor. (At a 
command prompt, type regedit. ) 


2. Open the 
HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\EFS key. 


3. Choose Edit, New, DWORD Value. 


4. Type EfsConfiguration as the 
name for the new value. 


5. Double-click the EfsConfiguration 
value and change its value data to 
1. 


6. Restart the computer. 


To reenable EFS, return to the same value and 
change it to 0. 


Intrepid tweakers might come across 
a check box called Allow Users To 
Encrypt Files Using Encrypting File 
System (EFS) and assume that 
clearing it disables EFS. Unfortunately, 
this action has no effect in a 


workgroup environment. If you want 
to check it out for yourself, open Local 
Security Settings (Secpol.msc), select 
Public Key Policies, right-click 
Encrypting File System, and choose 
Properties. 


Disabling or Reenabling EFS in 
Windows 2000 


If you’re using Windows 2000, follow these steps 
to disable EFS on a computer that is not part of a 
domain: 


1. Open Local Security Settings. (In 
Control Panel, open Administrative 
Tools, Local Security Policy. Or, 
more simply, type secpol.msc at a 
command prompt.) 


2. In Local Security Settings, go to 
Public Key Policies\Encrypted Data 
Recovery Agents. 


3. Right-click the Administrator 
certificate and choose Delete. 


Before you delete a 
certificate, be sure you 
have exported the file 
recovery certificate and 
its private key so that 
the key is available for 
data recovery. (For 


details, see “Backing Up 
the Data Recovery Agent 
Certificate.”) Without it— 
or another valid data 


recovery agent 
certificate, such as one 
from a domain controller 
—you won't be able to 
reenable EFS unless you 
reinstall Windows 2000. 


4. In response to the confirmation 
dialog box, click Yes. 


This procedure creates an empty recovery policy. 
When the policy is empty—that is, all the data 
recovery agent certificates have been deleted— 
users who attempt to encrypt files will see the 
error message “There is no valid encryption 
recovery policy configured for this system.” 


To reenable EFS after you’ve set an empty 
recovery policy, you reinstall the data recovery 
agent certificate, as follows: 


1. In Local Security Settings, go to 
Public Key Policies\Encrypted Data 
Recovery Agents. 


2. Right-click Encrypted Data 
Recovery Agents, and choose 
Initialize Empty Policy. (If the 
command is not on the shortcut 
menu, you already have an empty 
policy; skip this step.) 


3. Right-click Encrypted Data 
Recovery Agents, and choose Add 
to launch the Add Recovery Agent 
Wizard. Click Next. 


4. On the Select Recovery Agents 
page, click Browse Folders and then 
navigate to the folder that contains 
the .cer file for the data recovery 
agent you want to add. (The 
Browse Directory button searches 
Active Directory, a feature of 
Windows 2000 Server-based 
domains.) Click Open. 


5: Here’s where the wizard 
becomes confusing. The Select 
Recovery Agents page now shows 
the new agent as USER_UNKNOWN. 
This is normal. Simply click Next 
and then click Finish. 


6. A message appears: “The certificate 
cannot be validated.” Again, this is 
normal. Click OK. 


The certificate for the data recovery agent (with 
the correct user name shown) now appears in the 
details pane, and you can begin encrypting files 
again. 


Disabling EFS for Individual Folders or 
Files 


You might want to prevent the encryption of files 
in a certain folder to ensure that they remain 
available to everyone who has access to the 
folder. To disable encryption within a folder, use 
Notepad (or another text editor) to create a file 
that contains the following lines: 


[Eneryotion] 
Disable=1 


Save the file as Desktop.ini in the folder in which 
you want to prevent encryption. Any encrypted 
files already in the folder remain encrypted, but 
users who attempt to encrypt any other files will 
be stopped with this message: “The directory has 
been disabled for encryption.” 


Disabling encryption in this fashion doesn’t 
disable encryption altogether, even within the 
folder you've set up. If you copy or move 
encrypted files into the folder, they remain 
encrypted. And if you create a subfolder within 
the folder, you can encrypt the subfolder and any 
files it contains. 


Troubleshooting 


Files still become encrypted after 
you've disabled EFS for a folder. 


You might discover that files added to 
a folder become encrypted even after 
you create the Desktop. ini file 
described here and store it in the 
folder. This can occur if encryption was 
already enabled for the folder when 
you added the Desktop. ini file. (With 
the file in place, you won’t be able to 
set the encryption attribute for the 
folder.) To prevent new files from 
being encrypted, right-click the folder, 
choose Properties, click Advanced, and 
clear the Encrypt Contents To Secure 
Data check box. 


It’s possible, but generally not practical, to 
prevent certain files from being encrypted. You 
can do this in any of the following ways, each of 
which has a drawback: 


e Store the file in %SystemRoot% or 
one of its subfolders—folders in 
which encryption is never allowed. 
(Drawbacks: Windows makes it 
difficult to browse to these folders, 
and storing the file here might not 
fit your system of organizing files.) 


e Use the Attrib command to set the 
file’s System attribute. (Drawback: 
By default, Windows Explorer does 
not display system files, so they’re 
difficult to find. ) 


e Remove Write permission from the 
file for users you want to prevent 
from encrypting. (Drawback: 
Removing Write permission also 
prevents users from editing the 
file.) 


Strengthening EFS Protection 


EFS provides extremely strong protection against 
attackers. Multiple levels of encryption make it all 
but impossible to crack. In Windows XP (but not 
Windows 2000), you can strengthen security 
even more by using Triple Data Encryption 
Standard (3DES) to encrypt and decrypt files 
instead of the default algorithm, expanded Data 
Encryption Standard (DESX). Although 3DES is 
more secure, it’s slower because it processes 
each block of each file three times. 


To enable 3DES protection, follow these steps: 


1. Open Local Security Settings 
(Secpol.msc). 


2. Select Security Settings\Local 
Policies\Security Options. 


3. In the details pane, double-click 
System Cryptography: Use FIPS 
Compliant Algorithms For 
Encryption, Hashing, And Signing. 


4. Select Enabled and click OK. 


Protecting encrypted files from 
wily administrators 


If you use EFS extensively and your 
computer is not a member of a 
domain, you might consider upgrading 
to Windows XP if you haven’t already. 
That’s because Windows XP adds 
another level of protection that 
directly affects the security of your 
encrypted files. In Windows 2000, an 
administrator can reset your password 


—a valuable trick if you forget the 
password. However, that means an 
unscrupulous administrator can reset 
your password, log in using your 
account, and peer into your encrypted 
files. The underhandedness won't go 
undetected (because your password 
has been changed, you'll need to 
contact the same administrator to 
reset it for you), but the damage will 
have been done. With Windows XP, in 
contrast, if anyone other than yourself 
changes your password, your 
certificates (which are needed for 
decrypting files, among other things) 
become inaccessible. Should a 
devious, but uninformed, 
administrator try to get your secrets 
by changing your password, you can 
restore access to your certificates by 
resetting your password to its 
previous value or by using your 
Password Reset Disk. For more 
information, see Recovering_a Lost 
Password. 


Creating a Data Recovery 
Agent 


Designating a data recovery agent—another user 
who can access your encrypted files—allows you 
to recover encrypted files if something happens 
to your private key. 


In Windows 2000, the Administrator account is 
set up as the default data recovery agent. If your 
computer is a member of a domain, the domain 
administrator is the default data recovery agent. 
But if you’re using Windows XP and your 
computer is not in a domain, there is no default 
data recovery agent. 


In Windows 2000, a data recovery 
agent is required. If no data recovery 
agent exists, you can’t encrypt files. 


In Windows XP, however, a data 
recovery agent is optional (but usually 
desirable). 


To create a data recovery agent, you must create 
a file recovery certificate and then designate a 
user to be the data recovery agent. 


Generating a File Recovery Certificate 


To generate a file recovery certificate, follow 
these steps: 


1. Log on as an administrator. 


2. At a command prompt, type cipher 
/r:filename, where filename is the 
name you want to assign to the 
stored certificate files. Do not 
include a filename extension. 


3. When prompted, type a password 
that will be used to protect the files 
you create. 


These steps generate both a .pfx file and a .cer 
file with the file name you specify. 


These files allow anyone to become a 
data recovery agent. Be sure to copy 
them to a disk and put it in a secure, 


safe place. Then erase these files from 
our hard disk. 


An alternative to data recovery 
agents 


The reason Windows XP does not have 
a default data recovery agent for 
stand-alone computers is to provide 
enhanced security. In Windows 2000, 
a thief who’s able to crack the 
Administrator account (the default 
data recovery agent) has access to all 
the encrypted files on a stolen 
computer. With Windows XP, the only 
way a thief can get your encrypted 


data is by knowing your user name 
and password. 


This extra security comes with some 
risk: If you forget your password, 
you're locked out of your own files, 
and you have no practical way to get 
them back. For that reason, we 
suggest creating a data recovery 
agent as one solution. However, 
another solution that’s easier and, 
perhaps, more secure is to create a 
Password Reset Disk. For details, see 
Using_a Password Reset Disk. 


Designating Data Recovery Agents 


You can designate any user as a data recovery 
agent. We recommend that you use the 
Administrator account. 


Do not designate the account you use 
to create encrypted files as a data 
recovery agent. Doing so provides 


little or no protection. If the user 
profile is damaged or deleted, you will 
lose all the keys that allow decryption 
of the files. 


Follow these steps to designate a data recovery 
agent: 


1. Log on with the account that you 
want to designate as a data 
recovery agent. 


2. Using the Certificates snap-in (in 
Windows XP, type certmgr.msc at 
a command prompt), go to 
Certificates - Current 
User\Personal. 


3. Choose Action, All Tasks, Import to 
launch the Certificate Import 
Wizard. Click Next. 


4. Enter the path and file name of the 
encryption certificate (a .pfx file) 
you exported (see Figure 18-4), 
and click Next. If you click Browse, 
you must select Personal 
Information Exchange in the Files 
Of Type box to see .pfx files. Click 
Next. 


Pa 


Figure 18-4. Be sure to 

specify the .pfx file—not the 
.cer file to which the Browse 
button leads you by default. 


5. Enter the password for this 
certificate, and then select Mark 
This Key As Exportable. Click Next. 


6. Select Automatically Select The 
Certificate Store Based On The Type 
Of Certificate, and then click Next. 
Click Finish. 


7. In Local Security Settings 
(Secpol.msc), go to Security 
Settings\Public Key 
Policies\Encrypting File System. 


8. Choose Action, Add Data Recovery 
Agent. Click Next. 


9. On the Select Recovery Agents 
page, click Browse Folders and then 
navigate to the folder that contains 
the .cer file you created. (The 
Browse Directory button searches 
Active Directory.) Select the file and 
click Open. 


10. The Select Recovery Agents page 
now shows the new agent as 
USER UNKNOWN. Don’t be alarmed 
by the USER_UNKNOWN text; 
simply click Next and then click 
Finish. 


“The current user is now the data 
recovery agent for all encrypted files on this 
system. 


Removing the Private Key 


To prevent someone from simply logging on as 
Administrator (or another designated data 
recovery agent) and viewing another user’s 
encrypted files, you can export and remove the 
data recovery agent’s private key. Keep the key 
in a secure location—without it, you can’t use the 
file recovery certificate. 


To remove the data recovery agent’s private key, 
follow these steps: 


1. 


Log on with the account you 
designated as a data recovery 
agent. 


. In Certificates (Certmgr.msc), go to 


Certificates - Current 
User\Personal\Certificates. 


. Right-click the File Recovery 


certificate (so identified in the 
Intended Purposes column), and 
then choose All Tasks, Export to 
launch the Certificate Export 
Wizard. Click Next. 


. Select Yes, Export The Private Key, 


and then click Next. 


. Select Enable Strong Protection and 


Delete The Private Key If The 
Export Is Successful. Click Next. 


6%“Enter a password twice, and 
then click Next. 


. Specify the path and file name for 


the exported file. 


8. Click Next and then click Finish. 


As with the file recovery certificates, you should 
copy the file to a removable disk, store itina 
secure location, and then remove the file from 
your hard disk. 


The data recovery agent’s public key is now used 
to encrypt a copy of the FEK with each encrypted 
file, but because the private key is not available, 
the data recovery agent can’t view the files. To 
reestablish the data recovery agent’s access to 
encrypted files, import the private key you just 
exported, using the same procedure as for 
importing a personal certificate. For details, see 


Backing Up Your Certificates 


When you use encryption for the first time (and 
you don’t already have a certificate that’s valid 
for EFS), Windows creates a self-signed 
certificate for EFS. (Se/f-signed means that the 
certificate has not been granted by a trusted 
certification authority that can confirm your 
identity. Such verification is unnecessary for this 
purpose; in this case, the signature merely 
confirms that the certificate was created while 
your account was logged on.) This certificate 
becomes your personal encryption certificate, and 
it contains the public/private key pair used for 
encrypting and decrypting files while you’re 
logged on. 


Each user who encrypts files on a system has a 
personal encryption certificate. In addition, 
Windows can create a certificate for the 
designated data recovery agent. This certificate, 
whose purpose is shown as File Recovery, is not 
the same as that user’s personal encryption 
certificate, whose purpose is shown as Encrypting 
File System. 


All users should have a backup of their personal 
encryption certificate. More important, the 
system administrator should have a backup of 
the file recovery certificate and the data recovery 
agent’s private key. Without one or the other of 
the certificates, encrypted files are unusable. 


Backing Up the File Recovery 
Certificate 


The file recovery certificate provides an 
administrative alternative for decrypting files if a 
user’s personal encryption certificate is 
unavailable for any reason. Having a backup of 
this certificate is essential if you plan to use EFS. 


To back up the file recovery certificate, follow 
these steps: 


1. Log on as a member of the 
Administrators group. 


2. In Local Security Settings 
(Secpol.msc), go to Security 
Settings\Public Key 
Policies\Encrypting File System. (In 
Windows 2000, the folder is called 
Encrypted Data Recovery Agents.) 


3. Right-click the certificate issued to 
Administrator (or another user 
account) for the purpose of File 
Recovery. Choose All Tasks, Export 
to launch the Certificate Export 
Wizard, and then click Next. 


4. Select DER Encoded Binary X.509 
(.CER), and then click Next. 


5: Specify the path and file name 
for the exported file. 


6. Click Next and then click Finish. 


Exporting a Personal Encryption 
Certificate 


To back up a personal encryption certificate, take 
these steps: 


1. Log on as the user whose certificate 
you want to back up. 


2. In Microsoft Internet Explorer, 
choose Tools, Internet Options. On 
the Content tab of the Internet 
Options dialog box, click 
Certificates to open the Certificates 
dialog box. 


If you prefer, you can 
use the Certificates 
snap-in for Microsoft 
Management Console for 
this procedure. We 
chose to open the 


Certificates dialog box 
through Internet Options 
because this route is 
available and easily 
understandable for all 
users; no special 
privileges are required. 


3. On the Personal tab, select the 
certificate that shows Encrypting 
File System in the Certificate 
Intended Purposes box at the 
bottom of the dialog box. 


Windows creates this 
certificate the first time 
you encrypt a folder or 


file. Unless you have 
encrypted something—or 
you created an 
encryption certificate in 
some other way—the 
certificate won't exist. 


4. Click Export to launch the 
Certificate Export Wizard, and then 
click Next. 


5. Select Yes, Export The Private Key, 
and then click Next two times. 


6. Specify a password for the .pfx file. 
It doesn’t need to be the same as 
your logon password. Click Next. 


7. Specify the path and file name for 
the exported file. 


8. Click Next and then click Finish. 


As you'll see in the next section, the import 
process makes it easy to install your certificate 
on another computer—and thereby provide 
access to your encrypted files. For that reason, 
be careful to observe these guidelines: 


e When you export your certificate, 
be sure to protect it with a 
password that can’t be guessed 
easily. Unlike the case of logon 
attempts, no policies exist to 
prevent further attempts after a 
certain number of incorrect 
guesses. (On the other hand, be 
sure to use a password that you 
can remember when the need 
arises!) 


e Be sure to keep your certificate files 
—whether they’re on a floppy disk, 
a hard disk, or some other medium 
—in a secure place. 


Importing a Personal Encryption 
Certificate 


You will need to import your personal certificate— 
one that you exported to disk using the 
procedure in the preceding section—in either of 
the following situations: 


e You want to use your encrypted 
files on a different computer. 


e Your original personal certificate is 
accidentally lost or becomes 
corrupt. 


To import a personal encryption certificate, follow 
these steps: 


1. In Internet Explorer, choose Tools, 
Internet Options. On the Content 
tab of the Internet Options dialog 
box, click Certificates to open the 
Certificates dialog box. 


2. Click Import to launch the 
Certificate Import Wizard, and then 
click Next. 


3. Enter the path and file name of the 
encryption certificate (a .pfx file) 
you exported, and then click Next. 
If you click Browse, you need to 
select Personal Information 
Exchange in the Files Of Type box 
to see .pfx files. 


4. Enter the password, select other 
options if you want, and then click 
Next. 


5¢-Select Place All Certificates In 
The Following Store, click Browse, 
and then select Personal. Click OK, 
Next, and then Finish. 


As a quick alternative to the first three 
steps of the preceding procedure, you 
can simply double-click the encryption 


certificate file in Windows Explorer. 
Doing so launches the Certificate 
Import Wizard. 


Creating a New Personal Encryption 
Certificate 


If you lose your personal encryption certificate, 
you can create a new one using Cipher.exe, the 
command-line encryption utility. At a command 
prompt, simply type cipher /k to create a new 
personal encryption certificate for the user 
running Cipher. (By using the RunAs command to 
launch Cipher, you can create certificates for 
other users.) Of course, you can’t use the new 
certificate to decrypt files that were encrypted 
using the public key from your old certificate. 


Chapter 19 


Managing Security Through 
Group Policy and Security 
Templates 


Group Policy is a feature of Microsoft Windows XP 
Professional and Microsoft Windows 2000 that 
lets an administrator configure a computer and, 
optionally, prevent users from changing that 
configuration. Administrators can use Group 
Policy to set standard desktop configurations; 
restrict what settings users are allowed to 
change; specify scripts to run at startup, 
shutdown, logon, and logoff; redirect users’ 
special folders (such as My Documents) to 
network drives; and more. In addition—and more 
pertinent to the topic of this book—administrators 
can use Group Policy to control a number of 
security settings. 


To manage Group Policy in Windows 
XP Professional or Windows 2000, you 
must be logged on as a member of the 


Administrators group. Group Policy is 
not available in Windows XP Home 
Edition. 


The ideal environment for using Group Policy is a 
Microsoft Windows .NET Server or Microsoft 
Windows 2000 Server domain, in which 
administrators can centrally configure computers 
throughout sites, domains, or organizational 
units. In a domain environment, administrators 
can specify unique policies for different 
computers, users, or security groups. Managing 
Group Policy in an Active Directory domain 
environment is well documented in a number of 
books about administering Windows servers; two 
good examples are Microsoft Windows 2000 


Server Administrator’s Companion by Charlie 
Russel and Sharon Crawford (Microsoft Press, 
2000) and Microsoft Windows 2000 Server 
Resource Kit (Microsoft, 2000). 


In this book, however, we focus on using Group 
Policy to make settings on a computer running 
Windows XP Professional or Windows 2000 in a 
workgroup environment. We further narrow our 
focus by concentrating on security-related policy 
settings. Our earlier book, Microsoft Windows XP 
Inside Out (Microsoft Press, 2001), provides more 
general information about using Group Policy in a 
workgroup environment. 


In this chapter, we first examine the security 
settings you can make through Group Policy and 
explain how to apply these settings using 
Microsoft Management Console (MMC) snap-ins. 
In a workgroup, you must make Group Policy 
settings on each computer where you want such 
restrictions imposed; you can’t apply Group 
Policy settings to all computers, users, or groups 
on the network in a single operation, as you can 
in a domain. However, by using security 
templates—another subject covered in this 
chapter—you can store all your security-related 
settings in a file that you can then use to apply 
the settings on each computer. The final topic of 
this chapter is Security Configuration And 
Analysis, an MMC snap-in that allows you to 
compare your current security settings with those 
of a security template and apply the template 
settings if you choose. 


Security Checklist: Group Policy 
and Security Templates 


Although the default configuration for 
Windows is reasonably secure for 


most situations, you should consider 
taking the following steps to tighten 
your computer’s security: 


e Learn about the 
available security- 
related policies. 


e Use Group Policy to 
apply settings in the 
Administrative 
Templates folders. 


e For a one-time 
configuration of a single 
computer, use Local 
Security Settings (or 
Group Policy) to apply 
security settings. 


e Consider making 
different security 
settings for different 
groups of users. (Using 
a workaround described 
in this chapter, you can 
do that even on 
computers that are not 
part of an Active 
Directory domain.) 


e Modify or create a 
security template to 
incorporate the security 
settings you want to 
apply to multiple 
computers (or multiple 
times to a single 
computer). 


e Perform a security 
analysis to see how your 
Current security settings 
compare with those in 
your security template. 


e Apply the settings from 
your security template. 


Exploring Security-Related 
Policies 


Before you begin setting security policies, you 
need to understand what sorts of policies and 
settings are available. You can then configure the 
policies that most interest (and concern) you— 
either by making settings directly or by 
configuring and applying a security template. You 
can view most of the security-related policies in 
an MMC console named Local Security Settings, 
which is shown in Figure 19-1. 


“-Figure 19-1. Local Security Settings 
controls a number of settings that affect all 
users on a single computer. 


You can open Local Security Settings in either of 
two ways: 


e In Control Panel, open 
Administrative Tools, Local Security 
Policy. (If you use Category view in 
Windows XP, you'll find 
Administrative Tools in the 
Performance And Maintenance 
category. ) 


e At a command prompt, type 
secpol.msc. 


In tables in this chapter and throughout the 
book, we explain the various policies presented in 
Local Security Settings: 


e Security Settings\Account 
Policies\Password Policy: See Table 
3-3. Password Policies. 


Security Settings\Account 
Policies\Account Lockout Policy: See 
Table 3-4. Account Lockout Policies. 


Security Settings\Local 
Policies\Audit Policy: See Table 20- 
1. Audit Policies for Security Events. 


Security Settings\Local 
Policies\User Rights Assignment: 
See Table 19-1. User Rights 
Assignment Policies. 


Security Settings\Local 
Policies\Security Options: See Table 
19-2. Security Options Policies. 


Security Settings\Public Key 
Policies: See Disabling_or 
Reenabling_EFS. 


Security Settings\IP Security 
Policies On Local Computer: See 
Restricting Ports Using IP Security. 


The path to each policy folder shown 
in this list assumes that Security 
Settings is the console root, which is 
the case in Local Security Settings 
(Secpol.msc). To display these policy 


folders in the Group Policy console 
(Gpedit.msc), open Local Computer 
Policy\Computer 
Configuration\Windows 
Settings\Security Settings. 


Exploring User Rights 


User rights are a collection of policies that 
determine what actions specified users and 
members of specified security groups can 
perform. Unlike permissions and access control 
lists (ACLs), which control access to a specific 
object (such as a file or a printer), user rights 
apply to operations that affect the entire 
computer. 


User rights comprise two broad categories of 
rights: logon rights and privileges. Logon rights 
determine who is allowed to log on to the 
computer. Privileges determine who can perform 
other actions on the computer, such as backing 
up files or setting the system time. In Local 
Security Settings, logon rights and privileges are 
displayed in the Security Settings\Local 
Policies\User Rights Assignment folder. 


You can specify which user accounts and security 
groups are granted each user right. To see all the 
users and groups who have a particular right, 
double-click the name of the right in the details 
pane. A dialog box similar to the one shown in 
Figure 19-2 appears. 


“-Figure 19-2. To modify the list of user 
accounts and security groups that have a 
particular right, double-click the right to 
display its properties dialog box. 


Table 19-1 lists the user rights that you can 
control in Windows XP and Windows 2000 and 
shows the users and groups who are assigned the 
right in a default workstation configuration. For 
any right whose purpose isn’t obvious from its 
name, a description appears in parentheses. The 
users assigned to each right by default are 


appropriate in most situations, and you'll seldom 
need to add a built-in user or group to the 
defaults. If you’ve created your own security 
groups, you might want to grant certain rights to 
members of those groups. 


Table 19-1. User Rights Assignment Policies 


Policy (Description) Default 


Logon Rights 


Access this computer Administrators, 

from the network Backup Operators, 
Everyone, Power 
Users, Users 


Allow logon through Administrators, 
Terminal Services! Remote Desktop 


Users 
(Allows a user to log on 


through Remote 
Desktop.) 


Log on as a batch job Administrator, 
Support_xxxxxxxx 
(System has the 
right inherently. ) 


(Allows a user to be 
logged on using a batch- 
queue facility. Scheduled 
Tasks and certain other 
services use this method 
for logging on users; 
Scheduled Tasks 
automatically grants this 
right as needed.) 


Policy (Description) 


Log on as a service 


(To run a service under 
a user account, this 
right must be granted to 
the account.) 


Log on locally 


(Allows a user to log on 
by working directly at 
the computer’s 
keyboard.) 


Deny access to this 
computer from the 
network 


(Takes precedence over 
the “Access this 
computer from the 
network” right. ) 


Deny logon as a batch 
job 
(Takes precedence over 


the “Log on as a batch 
job” right.) 


Deny logon as a service 


(Takes precedence over 
the “Log onasa 
service” right. ) 


Default 


Network Service 
(Local Service and 
System have the 
right inherently. ) 


Administrators, 
Backup 


Operators, Guest, 
Power Users, 
Users 


Support_xxxxxxxx 


No one 


No one 


Policy (Description) Default 


Deny logon locally Guest, 


(Takes precedence over Support_XXXXXXXX 


the “Log on locally” 
right.) 


Deny logon through No one 
Terminal Services! 
(Takes precedence over 


the “Allow logon through 
Terminal Services” 


right.) 

Privileges 

Act as part of the No one (System 
operating system has 

(Allows a process to the right 


authenticate as any user inherently.) 
and gain access to the 

same resources as that 

user.) 


Add workstations to No one 
domain 


(Valid only on domain 
controllers.) 


Policy (Description) Default 


Adjust memory quotas Administrators, 
for a process? Local Service, 


(Can be misused to Network Service 


instigate a denial-of- 
service attack—another 
reason not to use an 
administrator account as 
your everyday account. ) 


Back up files and Administrators, 
directories Backup Operators 


(Allows a user to back 
up files and folders, 
including those for 
which the user has not 
been granted any 
permissions in the 
object’s ACL.) 


Bypass traverse Administrators, 
checking Backup Operators, 
Everyone, Power 


(Allows a user to 
Users, Users 


traverse file folder trees, 
even through a folder 
for which the user has 
no other permissions. 
This privilege doesn’t 
allow a user to list the 
contents of a folder; 
that ability is controlled 
by ACLs.) 


Policy (Description) Default 


Change the system time Administrators, 
Power Users 


Create a pagefile Administrators 


(Allows a user to create 
and adjust the size of 
the virtual memory page 


file.) 

Create a token object No one (System 

(Allows a process ete Beit 

authenticated as a user 'N^eren y-) 

to create a token that 

can be used to access 

local resources.) 

Create permanent No one (System 

shared objects has the right 
inherently.) 


(Allows a process to 
create a directory 
object. This task is 
ordinarily handled by 
kernel-mode 
components, which 
already have this right— 
so you shouldn't grant it 
to any users or groups.) 


Policy (Description) Default 


Debug programs Administrators 


(Most programming 
languages come with a 
debugger of some sort, 
and you don’t need this 
right to use those 
debuggers. This right 
allows a user to attach a 
debugger to any 
process, including 
critical operating system 
components. ) 


Enable computer and No one 
user accounts to be 

trusted for delegation 

(Valid only on domain 
controllers. ) 


Force shutdown from a Administrators 
remote system 


(Allows a user to shut 
down a computer from 
another network 
location.) 


Generate security audits Local Service, 

Network Service 
(System has the 
right inherently.) 


(Allows a process to 
generate entries in the 
Security log.) 


Policy (Description) Default 


Increase scheduling Administrators 
priority 


(Allows a user to change 
the scheduling priority 
of a task in Task 
Manager.) 


Load and unload device Administrators 
drivers 


(Allows a user to install 
and remove drivers for 
Plug and Play devices. 
Because device drivers 
run as highly privileged 
programs, attackers can 
use them to install 
malicious code that 
appears to be a device 
driver. You should grant 
this right only to users 
who are careful enough 
to install only drivers 
that have verified digital 
signatures or that are 
known to be valid.) 


Policy (Description) 


Lock pages in memory 


(Allows a process to 
keep data in physical 
memory, preventing it 
from using virtual 
memory. This privilege 
is a relic from Microsoft 
Windows NT and no 
longer serves any 
purpose. ) 


Manage auditing and 
security log 


(Allows a user to 
configure auditing for 
objects such as files, 
printers, and registry 
keys. Also allows a user 
to view and clear the 
Security log.) 


Modify firmware 
environment values 


Perform volume 
maintenance tasks4 


(Allows a user to run 
disk management 
programs, such as Disk 
Cleanup, Disk 
Defragmenter, and Disk 
Management. ) 


Default 


No one (System 
has the right 
inherently. ) 


Administrators 


Administrators 


Administrators 


Policy (Description) Default 


Profile single process Administrators, 


(Allows a user to use Power Users 


Performance Monitor to 
monitor nonsystem 
processes.) 


Profile system Administrators 
performance 


(Allows a user to use 
Performance Monitor to 
monitor system 
processes.) 


Remove computer from Administrators, 
docking station Power Users, 


(Allows a user to undock Users 


a portable computer by 
choosing the Eject PC 
command on the Start 
menu.) 


Replace a process level Local Service, 
token Network Service 
(System has the 


(Allows a parent process right inherently.) 


to replace the access 
token that is associated 
with a child process.) 


Policy (Description) Default 


Restore files and Administrators, 
directories Backup Operators 


(Allows a user to restore 
backed-up files and 
folders, including those 
for which the user has 
not been granted any 
permissions in the 
object’s access control 
list.) 


Shut down the system Administrators, 
Backup Operators, 
Power Users, 
Users 


Synchronize directory No one 
service data 


(Valid only on domain 
controllers. ) 


Take ownership of files | Administrators 
or other objects 


(Allows a user to take 
ownership of any 
securable object, such 
as files and folders on 
an NTFS volume, 
printers, and registry 
keys.) 


Exploring Security Options 


The security options policies provide a number of 
interesting options for locking down your system. 
Table 19-2 explains the settings available in 
Security Settings\Local Policies\Security Options. 
Keep in mind that, for some policies, Enabled is 
the most secure setting; for others, Disabled is 
more secure. You should carefully read the name 
of the policy and its description before you 
change any of the default settings, which provide 
a reasonable (but not extreme) level of security 
for most users in small businesses and homes. 


Security options policies that are 
effective only on servers running 
Windows .NET Server, Windows 2000 
Server, or another server operating 
system are not included in Table 19-2. 


Change policies selectively 


Table 19-2 describes dozens of 
policies, most of which have little or 
no effect on stand-alone computers or 
computers in a workgroup in most 
home and small business settings. So 
which policies should you consider 
changing? Those in the Accounts, 
Interactive Logon, and Shutdown 
categories are most likely to be of 
value to someone securing computers 
in such situations. The Devices and 
Network Security categories also have 
some policies of interest. The rest of 
the policies apply primarily to 
computers in large domains. 


Table 19-2. Security Options Policies 


Policy Name= 


Accounts: 
Administrator 
account status* 


Accounts: 
Guest account 
status* 


Security Setting 


Setting this policy to 
Disabled disables the 
Administrator user 
account. Even if you 
disable Administrator, the 
account remains available 
when you boot in Safe 
Mode. You can secure the 
Administrator account in 
less drastic ways; for 
details, see Securing the 
Administrator Account. 


Setting this policy to 
Disabled disables the 
Guest account. Traditional 
advice for securing 
Microsoft Windows NT and 
Microsoft Windows 2000 
workstations recommends 
this action, but it can 
cause problems in 
Windows XP. If you use 
Simple File Sharing, and if 
you want to share folders 
or printers with other 
network users, the Guest 
account must be enabled. 
For details about this type 
of network setup, see 
Windows Sharing _and 
Security Models. 


Policy Name=2 


Accounts: Limit 
local account 
use of blank 
passwords to 
console logon 
only4 


Accounts: 
Rename 
administrator 
account 


Security Setting 


Enabling this policy (the 
default) prevents users 
from logging on remotely 
by using a user account 
that has nopassword. 
Accounts with blank 
passwords can’t be used to 
log on over the network or 
for remote logons with 
Remote Desktop 
Connection, Terminal 
Services, Telnet, FTP, or 
other network services. 
For security, this policy 
should always be enabled. 


With this policy, you can 
assign a different user 
name to the security 
identifier (SID) associated 
with the Administrator 
account. This trick is useful 
for hiding the 
Administrator account 
from attackers; it forces 
them to obtain both a user 
name and a password 
(rather than a password 
only) to log on with this 
all-powerful account. 


Policy Name= 


Accounts: 
Rename guest 
account 


Audit: Audit the 
access of global 
system objects 


Security Setting 


You can use this policy to 
change the user name for 
the SID associated with 
the Guest account. Such a 
smokescreen hides 
another potential entry 
point known to all 
attackers. 


This policy allows you to 
audit some additional 
system objects if you 
choose to audit object 
access. (For details about 
auditing, see Auditing 
Security Events.)This 
policy is disabled by 
default, and few users 
have any reason to change 
this setting. 


Policy Name= 


Audit: Audit the 
use of Backup 
and Restore 
privilege 


Security Setting 


Ordinarily, nothing is 
recorded in the Security 
log when someone backs 
up or restores files, even if 
you choose to audit 
privilege use. Enabling this 
policy includes each use of 
the privilege, generating 
an audit event for every 
file that is backed up or 
restored. If you’re 
concerned that a user in 
the Administrators or 
Backup Operators group is 
using Windows Backup to 
make off with your files, 
enable this policy and 
enable auditing of privilege 
use, as explained in 
Enabling Security Auditing. 


Policy Name 


Audit: Shut 
down system 
immediately if 
unable to log 
security audits 


Security Setting 


Depending on how you 
configure event logging, 
the Security log might 
become full, allowing no 
additional entries. At this 
point, any actions that 
would ordinarily generate 
an event in the Security 
log go unrecorded. 
Enabling this policy 
prevents unrecorded 
events in a rather drastic 
fashion: by immediately 
halting the computer 
without warning. To 
recover, an administrator 
must log on, clear the 
Security log (presumably 
after examining and 
exporting its contents), 
and then reset a registry 
value. For details, see 
Ensuring That You Don’t 
Miss Any Security Events. 


Policy Name= 


Devices: Allow 
undock without 
having to log 
ont 


Devices: 
Allowed to 
format and 
eject removable 
media (In 
Windows 2000: 
Allowed to eject 
removable 
NTFS media) 


Security Setting 


When this policy is 
enabled, the command for 
removing a portable 
computer from its docking 
station is available from 
the Welcome screen or the 
Log On To Windows dialog 
box, which is available to 
anyone. Disabling this 
policy makes the 
undocking command 
available only after a user 
successfully logs on. 


By default, only members 
of the Administrators 
group can format or eject 
certain types of removable 
media, such as Iomega Jaz 
drives or removable hard 
disks. (This policy does not 
restrict the use of floppy 
disks or CD-ROM discs.) To 
grant this ability to others, 
select an option other than 
Administrators. Note that 
Interactive Users is not the 
name of a security group; 
rather, it refers to any user 
who logs on locally. 


Policy Name= 


Devices: 

Prevent users 
from installing 
printer drivers 


Security Setting 


When enabled, this policy 
allows only members of 
theAdministrators or Power 
Users group to install a 
printer driver in order to 
add a network printer. If 
it’s disabled (the default 
on workstations), any user 
can install a printer driver 
as part of adding a 
network printer. 
Regardless of this policy’s 
setting, any user can adda 
network printer if the 
driver is already installed 
on the local machine. Also, 
this policy does not affect 
the installation of drivers 
for local (non-network) 
printers. 


Policy Name? Security Setting 


Devices: Enabling this policy 

Restrict CD- prevents remote users 

ROM access to (including other network 

locally logged- users) from accessing a 

on user only computer’s CD-ROM drives 
while anyone is logged on 
locally. If no one is logged 
on, other network users 
can access the drives. 
(This policy and the one 
that follows are intended 
more to prevent conflicts 
arising from two users 
accessing a resource 
simultaneously than as 
security measures to 
prevent use of your 
drives.) 


Devices: Enabling this policy 

Restrict floppy prevents remote users 

access to locally from accessing your 

logged-on user computer's floppy drives 

only while anyone is logged on 
to your computer. 
However, if no one is 
logged on locally, the 
floppy drive is accessible 
to network users, even 
when this policy is 
enabled. 


Policy Name= 


Devices: 
Unsigned driver 
installation 
behavior 


Domain 
member: 
Digitally 
encrypt or sign 
secure channel 
data (always)2 


Domain 
member: 
Digitally 
encrypt secure 
channel data 
(when 
possible)= 


Security Setting 


This policy determines 
what happens when a user 
attempts to install a device 
driver that hasn't been 
certified by the Windows 
Hardware Quality Lab 
(WHQL). You can set the 
policy to allow installation, 
prevent installation, or 
allow installation only after 
displaying a warning. 


This policy affects only 
computers that are joined 
to a domain. It determines 
how a workstation 
communicates with a 
domain controller that isn’t 
configured to sign or 
encrypt all secure channel 
traffic. 


This policy affects only 
computers that are joined 
to a domain. Enabling it 
ensures that all secure 
channel trafficis encrypted 
when the domain 
controller supports that 
capability. 


Policy Name= 


Domain 
member: 
Digitally sign 
secure channel 
data (when 
possible)= 


Domain 
member: 
Disable 
machine 
account 
password 
changes* 


Domain 
member: 
Maximum 
machine 
account 
password ageź 


Security Setting 


This policy affects only 
computers that are joined 
to a domain. Enabling it 
ensures that all secure 
channel traffic is digitally 
signed when the domain 
controller supports that 
capability. 


When this policy is 
disabled (the default), a 
domain member computer 
periodically changes its 
computer account 
password. Computer 
account passwords (not to 
be confused with user 
account passwords) are 
used to establish secure 
channel communications 
between domain members 
and domain controllers. 


This policy determines the 
maximum allowable age 
for adomain member 
computer’s machine 
account password. 


Policy Name= 


Domain 
member: 
Require strong 
(Windows 2000 
or later) session 
key2 


Interactive 
logon: Do not 
display last user 
name 


Security Setting 


When enabled, this policy 
permits establishment of a 
secure channel only with a 
domain controller that 
supports 128-bit 
encryption; if disabled, 
this policy permits 64-bit 
session keys. 


When this policy is 
disabled (the default), the 
Log On To Windows dialog 
box displays the user 
name of the last person to 
log on. This setting is 
convenient for a 
workstation used primarily 
by one person, because 
that person can avoid 
typing his or her user 
name at each logon. 
Enabling the policy leaves 
blank the User Name box 
in the Log On To Windows 
dialog box, preventing 
someone from learning a 
valid user name simply by 
looking at the logon 
screen. 


Policy Name2 


Interactive 
logon: Do not 
require 
CTRL+ALT+DEL 
(In Windows 
2000: Disable 
CTRL+ALT+DEL 
requirement for 
logon) 


Interactive 
logon: Message 
text for users 
attempting to 
log on 


Interactive 
logon: Message 
title for users 
attempting to 
log on 


Security Setting 


When this policy is 
disabled, a user must 
press Ctrl+Alt+Delete 
before the Log On To 
Windows dialog box is 
displayed. (This policy has 
no effect if the computer is 
configured to use the 
Welcome screen in 
Windows XP.) Although the 
extra keystroke is 
inconvenient, it prevents 
attackers’ use of programs 
that attempt to capture a 
user’s password as it’s 
entered. 


This policy sets the body 
text for a message that is 
displayed before each 
logon. For details, see 
Displaying_a Welcome 
Message—or a Warning. 


This policy sets the title 
bar text for a message 
that is displayed before 
each logon. For details, 
see Displaying_a Welcome 
Message—or a Warning. 


Policy Name=2 


Interactive 
logon: Number 
of previous 
logons to cache 
(in case domain 
controller is not 
available) 


Interactive 
logon: Prompt 
user to change 
password 
before 
expiration 


Security Setting 


This policy affects only 
computers that are joined 
to a domain. Ordinarily, 
when you log on using a 
domain account, Windows 
retrieves your account 
information from the 
domain controller (DC). If 
the DC is not available at 
logon time, a user can log 
on using account 
information cached on 
your local computer. This 
policy specifies the number 
of unique users whose 
account information is 
cached. Setting the policy 
to O disables it. Caching 
this information offers 
convenience when the DC 
is unavailable, but it does 
provide a slight 
opportunity for an attacker 
who disconnects the 
computer from the 
network. 


This policy specifies the 
number of days in advance 
a user iswarned of 
impending user account 
password expiration. 


Policy Name2 


Interactive 
logon: Require 
Domain 
Controller 
authentication 
to unlock 
workstation# 


Security Setting 


This policy affects only 
computers that are joined 
to a domain. If this policy 
is disabled (the default), a 
workstation that has been 
locked by a domain user 
can be unlocked using 
locally cached account 
information. When the 
policy is enabled, a 
workstation can be 
unlocked only by 
authenticating with the 
domain controller. 


Policy Name=2 


Interactive 
logon: Smart 
card removal 
behavior 


Security Setting 


This policy specifies what 
happens if the smart card 
for thelogged-on user is 
removed from the smart 
card reader. (A smart card 
is a credit card-sized 
device that stores 
certificates, passwords, 
and other personal 
information. On computers 
equipped with a smart 
card reader, users can log 
on by inserting the smart 
card and entering a 
personal identification 
number instead of entering 
a user name and 
password.) You can 
configure the policy to do 
nothing, lock the 
workstation, or log the 
user Off. 


Policy Name=2 


Microsoft 
network client: 
Digitally sign 
communications 
(always) 


Microsoft 
network client: 
Digitally sign 
communications 
(if server 
agrees) 


Security Setting 


Enabling this policy 
requires the use of signed 
packets with Server 
Message Block (SMB), an 
authentication protocol 
that can used for 
communications between 
computers running 
Windows XP and Windows 
2000. Both client and 
server computers must 
Support SMB signing; and 
if this policy is enabled, it 
must be enabled or 
required on both ends. 
Although the use of SMB 
Signing prevents certain 
types of attacks, it can 
slow down your computer 
slightly. 


Enabling this policy causes 
the SMB client to digitally 
sign packets when 
communicating with an 
SMB server on which SMB 
signing is enabled or 
required. 


Policy Name2 


Microsoft 
network client: 
Send 
unencrypted 
password to 
third-party SMB 
servers 


Network 
access: Allow 
anonymous 
SID/Name 
translation? 


Network 
access: Do not 
allow 
anonymous 
enumeration of 
SAM accounts# 


Security Setting 


Enabling this policy allows 
passwords to be sent in 
plain text to non-Microsoft 
SMB servers that do not 
support password 
authentication. 


Enabling this policy allows 
a user who knows the 
security identifier (SID) of 
a user account to obtain 
the user name associated 
with the SID. Leave this 
policy disabled. 


This policy prevents users 
with an anonymous 
connection to the 
computer from 
enumerating the user 
names of domain 
accounts. In certain 
network configurations 
with multiple domains, it’s 
useful to disable this 
policy; all other users 
should leave it enabled. 


Policy Name= 


Network 
access: Do not 
allow 
anonymous 
enumeration of 
SAM accounts 
and shares (In 
Windows 2000: 
Additional 
restrictions for 
anonymous 
connections) 


Network 
access: Do not 
allow storage of 
credentials or 
.NET Passports 
for network 
authentication4 


Security Setting 


Enabling this policy 
prevents users with an 
anonymous connection 
from engaging in certain 
activities, including 
enumerating the names of 
domain accounts and 
network shares. 


When enabled, this policy 
prevents Stored User 
Names And Passwords 
from saving passwords 
and logon credentials. 
Stored User Names And 
Passwords provides a 
secure, convenient method 
of managing credentials 
for multiple Web sites, 
accounts, and domains. 


Policy Name= 


Network 
access: Let 
Everyone 
permissions 
apply to 
anonymous 
users® 


Network 
access: Named 
Pipes that can 
be accessed 
anonymously4 


Security Setting 


In Windows XP, when this 
policy is disabled, 
anonymous users are not 
considered members of 
the Everyone group, and 
therefore permissions 
granted to the Everyone 
group do not apply to 
anonymous users. 
Anonymous users can 
access only resources for 
which the Anonymous 
group has been given 
explicit permission. 
Enabling this policy 
includes anonymous users 
in the Everyone group, 
which is always the case in 
Windows 2000 and 
Windows NT. 


This policy lists the named 
pipes that can be accessed 
by an anonymous 
connection. (A named pipe 
is an area of memory used 
for communication 
between two processes.) 
Programs and services that 
establish the pipes 
generally manage these 
settings; unless you really 
know what you’re doing, 
it’s best to leave this one 
alone. 


Policy Name= 


Network 
access: 
Remotely 
accessible 
registry paths* 


Network 
access: Shares 
that can be 
accessed 
anonymously4 


Security Setting 


In a domain-based 
environment, certain 
services require remote 
access to the registry. The 
list of registry keys in this 
policy controls which keys 
are available for this type 
of access. (By default, 
users with appropriate 
permissions have access to 
a much greater portion of 
the registry.) If your 
computer is not joined to a 
domain, you can safely 
delete these registry paths 
—although there’s no 
compelling reason to do 
so. (To prevent remote 
access to your computer’s 
registry, a better solution 
is to disable the Remote 
Registry service. For 
details, see Shutting Down 
Unneeded Services. ) 


This policy lists network 
shares that can be 
accessed by anonymous 
users. Except in rare 
situations, you'll want to 
include only the two 
administrative shares 
placed here by Windows 
itself: COMCFG and DFS$. 


Policy Name= 


Network 
access: Sharing 
and security 
model for local 
accounts4 


Security Setting 


This policy is at the heart 
of the different sharing 
models available in 
Windows XP Professional 
for computers that are not 
joined to a domain. You 
can select between Classic 
and Guest Only; the latter 
setting is synonymous with 
Simple File Sharing. 
Setting this policy is 
merely an alternative to 
the Use Simple File 
Sharing option on the View 
tab of the Folder Options 
dialog box. For details 
about the two sharing and 
security models, see 
Windows Sharing_and 
Security Models. 


Policy Name= 


Network 
security: Do not 
store LAN 
Manager hash 
value on next 
password 
change* 


Security Setting 


The LAN Manager hash 
value is a value derived 
from a user account 
password that is used for 
logging on to domains 
running Windows NT and 
other earlier operating 
systems. If all the 
computers on your 
network use Windows 
2000 or Windows XP, you 
don’t need the LAN 
Manager hash. Because it 
presents a security risk 
(it’s a useful piece of 
information for password 
crackers, and it’s relatively 
easy for them to get), you 
should enable this policy if 
you don’t need to log on to 
networks running earlier 
operating systems. 


Policy Name= 


Network 
security: Force 
logoff when 
logon hours 
expire (In 


Windows 2000: 


Automatically 
log off users 
when logon 
time expires) 


Security Setting 


Although it might sound as 
though you can use this 
policy to forcibly log off 
users who are logged on 
when they shouldn't be, it 
works only with a domain 
controller and an SMB 
server. (Using the /Times 
switch with the Net User 
command, you can specify 
logon hours for particular 
users. They can’t log on 
outside those hours, but if 
they’re already logged on, 
they can continue working. 
For details, see Table 3-2. 
Net User Parameters for 
Adding Accounts. ) 


Policy Name= 


Network 
security: LAN 
Manager 
authentication 
level 


Network 
security: LDAP 
client signing 
requirements* 


Security Setting 


This policy determines 
which challenge/response 
authentication protocol is 
used for network logons. 
The options for this policy 
appear in the list in 
increasing order of 
security. The less secure 
options (at the top of the 
list) are provided for 
compatibility with 
networks running Windows 
NT and other earlier 
operating systems. If all 
network computers that 
connect to your computer 
use Windows XP or 
Windows 2000, you should 
choose the most secure 
option, Send NTLMv2 
Response Only\Refuse LM 
& NTLM. For more 
information about these 
choices and other 
operating systems, see 
Controlling the Logon and 
Authentication Process. 


This policy specifies 
whether your 
computer’scommunications 
with an LDAP server must 
be digitally signed. 


Policy Name=2 


Network 
security: 
Minimum 
session security 
for NTLM SSP 
based 
(including 
secure RPC) 
clients 


Network 
security: 
Minimum 
session security 
for NTLM SSP 
based 
(including 
secure RPC) 
servers# 


Security Setting 


The four options in this 
policy determine the 
minimum client security 
requirements for 
communications between 
networked client/server 
applications. If all 
computers on your 
network use Windows 
2000 (with 128-bit 
encryption) or Windows 
XP, you can select all four 
options to provide 
additional security. 


This policy provides the 
same options as the 
preceding policy, but it 
affects the server side of 
the communication. 


Policy Name=2 


Recovery 
console: Allow 
automatic 
administrative 
logon 


Security Setting 


When this policy is 
disabled (the default), 
Recovery Console requires 
entry of the password for 
the Administrator account 
before granting access. 
Enabling this policy 
eliminates the password 
requirement, allowing 
anyone with physical 
access to your computer 
and a Windows CD to boot 
into Recovery Console with 
administrative privileges. 


Policy Name=2 


Recovery 
console: Allow 
floppy copy and 
access to all 
drives and all 
folders 


Security Setting 


When this policy is 
disabled (the default), 
Recovery Console allows 
access only to a few 
folders for the purpose of 
getting a corrupt system 
running. Specifically, 
Recovery Console allows 
full access to the root 
directory of any hard disk 
volume, to 
%SystemRoot™% and its 
subfolders, and to 
\Cmdcons and its 
subfolders and allows 
read-only access to files 
and folders on removable 
disks. These limitations 
prevent thieves from 
copying files to removable 
media and from accessing 
nonsystem documents and 
programs. Enabling this 
policy eliminates these 
protections by enabling the 
Set command in Recovery 
Console. (In Recovery 
Console, type set /? for 
details about using Set to 
enable access to other 
folders; you can display 
Set’s help without enabling 
this policy. ) 


Policy Name2 


Shutdown: 
Allow system to 
be shut down 
without having 
to log on 


Security Setting 


By default, the Log On To 
Windows dialog box 
includes a Shutdown 
button. (It appears only 
when you click Options to 
expand the dialog box.) 
Clicking the button shuts 
down the computer. If you 
disable this policy, the 
button appears dimmed, 
allowing only a user who 
successfully logs on to 
shut down the system. 
(Through another policy— 
the “Shut down the 
system” user right, 
described in Table 19-1— 
you can specify which 
logged-on users are 
allowed to shut down the 
computer. ) 


Policy Name2 


Shutdown: 
Clear virtual 
memory 
pagefile 


Security Setting 


Enabling this policy clears 
the content of the page 
file(\Pagefile.sys) each 
time you shut down. (Even 
when this policy is 
disabled, the page file is 
deleted at shutdown but, 
like files in the Recycle Bin, 
it can be recovered by 
someone with the know- 
how. Enabling this policy 
“wipes” the file by writing 
all zeros to the file area 
and deleting the file’s 
directory entry.) The page 
file, also Known as a swap 
file or virtual memory, 
contains information that 
is swapped out of memory 
during the course of 
normal operation. While 
Windows is running, the 
page file is accessible only 
by the System account and 
is secure from snoopers. 
But someone who boots 
your computer into 
another operating system 
might have access to the 
page file and might be 
able to find some sensitive 
information therein. 


Policy Name= 


System 
cryptography: 
Use FIPS 
compliant 
algorithms for 
encryption, 
hashing, and 
signing* 


System objects: 


Default owner 
for objects 
created by 
members of the 
Administrators 
group4 


Security Setting 


Enabling this policy causes 
the Encrypting File System 
(EFS) to use Triple Data 
Encryption Standard 
(3DES) to encrypt and 
decrypt files instead of the 
expanded Data Encryption 
Standard (DESX) 
algorithm. Because 3DES 
processes each block of 
each file three times, it’s 
slower, but it’s also more 
secure. 


This policy determines 
whether the initial owner 
of a new object (such as a 
file or a folder) created by 
a member of the 
Administrators group is the 
individual user who creates 
the object or the 
Administrators group. 
Because any member of 
the Administrators group 
can take ownership of an 
object, this distinction has 
little practical effect. 


Policy Name=2 


System objects: 


Require case 
insensitivity for 
non-Windows 
subsystems4 


System objects: 


Strengthen 
default 
permissions of 
internal system 
objects (e.g. 
Symbolic Links) 


Security Setting 


When this policy is 
enabled, names of files 
and other objects in non- 
Windows subsystems 
(such as POSIX) are case 
insensitive. With the policy 
disabled, subsystems can 
be case sensitive. Because 
few systems in homes and 
small businesses use any 
non-Windows subsystems, 
this policy generally has no 
effect. 


This policy determines the 
default permissions for 
some objects; when the 
policy is enabled, stronger 
(that is, more restrictive) 
permissions are applied. 
Leave this policy enabled. 


Exploring Other Group Policies 


Literally hundreds of group policies are available 
in Windows XP Professional and Windows 2000. 
Most of these policies control elements of the 
user interface (for example, which icons appear 
on the desktop) and how certain programs 
operate (for example, allowing audio redirection 
in a Remote Desktop session). Others place 
limitations on what a user can do. Some of these 
limitations are intended to keep a user focused 
on his or her work, to eliminate options that 
might be distracting or confusing to 
inexperienced users, or to prevent users from 
making inadvertent changes. Although the 
limitations you can impose in some policies might 
provide a form of security, those policies are the 
subject for another book. Here we'll focus on a 
number of group policies that have clear security 
implications, as explained in Table 19-3. 


For a complete reference to Group 
Policy in Windows 2000, visit 
http://www. microsoft.com/windows20 
00/techinfo/reskit/en-us/default.asp. 
Look for Windows 2000 Group Policy 
Reference in the contents pane. Nearly 
all the information in this reference 
applies to Windows XP Professional as 
well, although it doesn’t include the 
policies that are available only in 
Windows XP. Another good resource is 
the Group Policy Object Settings 
spreadsheet, which you can download 
from 

http://www. microsoft.com/WindowsxXP 


Zpro/techinfo/productdoc/gpss.asp. 
Although the spreadsheet doesn’t 


explain the settings, it lists all 
Administrative Templates policies 
(including those in Windows XP) and 
shows which ones apply to each 
operating system; it also provides a 
convenient way to record your own 
settings. 


A determined attacker can bypass 
some of the protections these policies 
provide. For example, you can set a 
policy to hide the Security tab in the 
properties dialog box for a folder ora 
file. Although this setting removes the 
user interface to the access control 
lists, programs running in the context 
of a powerful user account can still 
make changes. Indeed, a user who 
knows about the Cacls command can 
perform many of the same tasks that 
are available through the Security tab. 
(However, you can mitigate that 
particular threat by enabling another 
policy, which prevents use of a 
Command Prompt window.) 
Nonetheless, these policies can 
provide protection against users 
inadvertently creating security 
vulnerabilities as well as protection 
against less knowledgeable attackers. 


Table 19-3. Other Security-Related Group Policies 


Policy Name Description 


Computer Configuration \Administrative 
Templates \Windows 
Components \NetMeeting 


Policy Name Description 


Disable This policy disables only the 
remote remote desktop sharing 
Desktop feature of Microsoft 

Sharing NetMeeting. (This feature 


lets a remote user view and 
control your desktop.) If you 
use NetMeeting but want to 
prevent others from gaining 
access to your desktop, 
enable this policy. 


Computer Configuration \Administrative 
Templates \Windows Components \ 
Internet Explorer 


Security This policy applies the same 
Zones: Use Microsoft Internet Explorer 
only machine security zone settings to all 
settings users of a single computer. 


If the policy is not enabled, 
each user can configure 
security zones 
independently. Enabling the 
policy ensures that the 
strong security zone settings 
you make apply to all users. 


Policy Name 


Security 
Zones: Do not 
allow users to 
change 
policies 


Security 
Zones: Do not 
allow users to 
add/delete 
sites 


Disable 
Automatic 
Install of 
Internet 
Explorer 
components 


Description 


This policy acts as an 
enforcement mechanism for 
the previous policy: Enabling 
this policy disables the 
Custom Level button and the 
security level slider on the 
Security tab in the Internet 
Options dialog box, 
preventing users from 
changing security zone 
settings. 


When enabled, this policy 
disables the Sites button on 
the Security tab in the 
Internet Options dialog box, 
thereby preventing users 
from adding or removing 
sites from the Trusted Sites, 
Restricted Sites, and Local 
Intranet zones. 


When you visit a Web site 
that uses an installable 
component, a Security 
Warning dialog box asks 
whether you want to install 
the component. If you want 
to prevent users from 
downloading and installing 
potentially harmful 
components, you can take 
away the option to do so by 
enabling this policy. 


Policy Name Description 


Computer Configuration \Administrative 
Templates \Windows 

Components \Terminal 
Services\Encryption and Security 


Set client If you use Remote Desktop 
connection on your Windows XP 
encryption computer and the computers 
level that connect to it are 


running Windows XP or 
Windows 2000 with the High 
Encryption Pack installed (in 
other words, they're using 
128-bit encryption), you 
should enable this policy and 
set it to High Level. With any 
other setting, the client 
computer sets the 
encryption level. 


Computer Configuration \Administrative 
Templates\System\Remote Assistance 


Policy Name Description 


Solicited 
Remote 
Assistance 


This policy restricts the use 
of Remote Assistance, a 
feature that can cede control 
to an outsider. (Although 
Remote Assistance has 
several safeguards built in, a 
disgruntled user inside your 
network could use it to allow 
entry by someone from the 
outside.) Disabling the policy 
prevents a user from 
sending an assistance 
request. If you enable the 
policy, you can configure it 
so that the person providing 
the assistance can view the 
computer but not control it. 


Policy Name Description 


Offer Remote This policy restricts the 

Assistance ability of an outside expert 
to offer remote assistance 
without first receiving a 
remote assistance request. 
(When the expert offers 
assistance, the user must 
grant permission, so the 
expert can’t take over 
unnoticed.) Disabling or not 
configuring this policy 
rejects all unsolicited 
assistance offers. If you 
enable the policy, you must 
specify a list of authorized 
experts, and you can limit 
how much control the 
remote expert will have. 


Computer Configuration \Administrative 
Templates \Network\ Offline Files 


Encrypt the Enabling this policy causes 

Offline Files all local copies of Offline 

cache Files to be encrypted. This 
provides additional security 
(the files are already 
protected by NTFS 
permissions) in case an 
attacker gains access to 
your computer. 


Policy Name Description 
Computer Configuration \Administrative 


Templates \Network\Network 
Connections 


IEEE 802.1x This policy provides security 


Certificate for wireless networks by 
Authority for requiring authentication 
Machine through a Certificate 


Authentication Authority. For more 
information about securing 
wireless networks, see 
Chapter 16, “Wireless 
Networking.” 


User Configuration \Administrative 
Templates \Windows 
Components \NetMeeting 


Set Call This policy lets you require 
Security call security for all 
options NetMeeting incoming and 


outgoing calls. 


Prevent This policy prevents the use 
automatic of NetMeeting’s automatic 
acceptance of answering feature, which 
Calls could allow someone to 


connect to your computer 
when you’re not there. 
(Even when the feature is 
enabled, however, it is 
effective only when 
NetMeeting is running. ) 


Policy Name Description 


User Configuration \Administrative 
Templates \Windows 
Components \ NetMeeting \Application 
Sharing 


Disable This policy disables 
application NetMeeting application 
Sharing sharing altogether; when it 


is enabled, users can’t share 
applications or use shared 
applications on another 


computer. 
Prevent This policy prevents users 
Sharing from sharing applications in 


NetMeeting themselves, but 
they can connect to others’ 
shared applications. 


Prevent This policy prevents users 

Desktop from sharing the desktop in 

Sharing NetMeeting, although they 
can share individual 
applications. 

Prevent This policy prevents users 

Sharing from sharing Command 


Prompt Command 
Promptswindows in 
NetMeeting. Such sharing 
can be dangerous because 
remote users can start other 
programs from a command 
prompt. 


Policy Name 


Prevent 
Sharing 
Explorer 
windows 


Prevent 
Control 


Description 


This policy prevents users 
from sharing Windows 
Explorer windows in 
NetMeeting. Such sharing 
can be dangerous because 
remote users can start other 
programs from a Windows 
Explorer window. 


This policy prevents users 
from allowing remote users 
to control shared 
applications in NetMeeting. 


User Configuration \Administrative 
Templates \Windows 
Components \NetMeeting \Options Page 


Hide the 
Security page 


This policy hides the 
Security tab in NetMeeting, 
preventing users from 
changing call security and 
authentication settings. 


User Configuration \Administrative 
Templates \Windows 
Components \Internet Explorer 


Policy Name 


Disable 
changing 
certificate 
settings 


Do not allow 
AutoComplete 
to save 
passwords 


Description 


This policy disables the 
Certificates buttons on the 
Content tab of the Internet 
Options dialog box, thereby 
preventing users from 
adding or removing 
certificates for software 
publishers. 


If you enable this policy, 
Internet Explorer no longer 
saves passwords that you 
enter on Web pages, nor 
does it prompt to ask 
whether you want to save 
the password. Options in the 
AutoComplete Settings 
dialog box are disabled, 
preventing users from 
changing these settings. The 
risk of having Internet 
Explorer save passwords is 
that someone who gains 
access to your computer 
(and logs on to your 
account) has access to your 
password-protected Web 
sites. 


User Configuration \Administrative 
Templates \Windows 
Components \ Internet Explorer\ 
Internet Control Panel 


Policy Name Description 


Disable the Enabling this policy hides 

Security page the Security tab in the 
Internet Options dialog box, 
thereby preventing users 
from viewing or changing 
security zone settings. 


User Configuration \Administrative 
Templates \Windows 
Components \Windows Explorer 


Hide these This policy allows a bit of 


specified subterfuge: by enabling it, 
drives in My — you can prevent certain 
Computer drives from appearing in My 


Computer, Windows 
Explorer, or common dialog 
boxes such as Open. The 
drive is still accessible by 
programs, at a command 
prompt, or by other 
nonobvious means—but it 
remains hidden from casual 
examination. 


Policy Name 


Prevent 
access to 
drives from 
My Computer 


Remove 
Security tab 


Description 


This policy prevents access 
to specified drives through 
Windows Explorer and most 
other means. (The drives 
still appear unless you hide 
them using the preceding 
policy, but they’re 
unavailable.) Programs, 
however, can still access the 
drives. 


Enabling this policy hides 
the Security tab in the 
properties dialog boxes for 
folders and files, preventing 
users from viewing or 
modifying access 
permissions. Knowledgeable 
users can use command-line 
tools such as Cacls or Xcacls 
to bypass this protection. 


User Configuration \Administrative 
Templates \Windows 

Components \Windows 
Explorer\Common Open File Dialog 


Policy Name Description 


Hide the If this policy is disabled or 

dropdown list not configured, the File 

of recent files Name box in the Open 
dialog box has a drop-down 
list of files you've recently 
opened. If you don’t want 
others to know which files 
you've opened, enable this 
policy. (The files list is saved 
on a per-user basis, so only 
users who log in with the 
Same account would see 
each other’s file names.) 


User Configuration \Administrative 
Templates \Windows 
Components \ Microsoft Management 
Console 


Restrict the This policy prevents users 
user from from creating or modifying 
entering MMC consoles, thereby 
author mode allowing them to use only 
existing consoles for which 
they have sufficient 
permissions. This prevents 
access to potentially 
destructive snap-ins. 


Policy Name 


Restrict users 
to the 
explicitly 
permitted list 
of snap-ins 


Description 


If you don’t want to prevent 
users from creating or 
modifying consoles 
altogether, you can use this 
policy to limit them to 
certain snap-ins. If this 
policy is enabled, users have 
access only to the snap-ins 
and snap-in extensions that 
have been set to Enabled in 
the Restricted/Permitted 
Snap-Ins subfolder and its 
subfolders. 


User Configuration \Administrative 
Templates\Start Menu and Taskbar 


Do not keep 
history of 
recently 
opened 
documents 


Ordinarily, Windows keeps 
track of documents you 

open by storing a shortcut to 
each one in the 
%UserProfile%\Recent 
folder. If you don’t want 
others to know what 
documents you used 
recently, enable this policy. 
Doing so deletes the 
contents of the Recent folder 
and prevents new items 
from being added. It also 
prevents recent file names 
from appearing at the 
bottom of the File menu in 
many programs. 


Policy Name 


Clear history 
of recently 
opened 
documents on 
exit 


Turn off user 
tracking 


Description 


Unlike the preceding policy, 
this one does not prevent 
the accumulation of recent 
documents history. Within a 
logon session, you have 
convenient access (through 
the Recent Documents item 
on the Start menu) to 
documents you've already 
opened once. The 
information is purged when 
you log off. This policy does 
not affect the list of 
recentdocuments at the 
bottom of the File menu in 
some applications. 


Ordinarily, Windows tracks 
which programs and 
documents you use. The 
system uses this information 
to customize Windows to the 
way you work (for example, 
by displaying frequently 
used programs more 
prominently on the Start 
menu). When this policy is 
enabled, Windows does not 
track user actions. 


User Configuration \Administrative 
Templates \Control Panel 


Policy Name 


Prohibit 
access to the 
Control Panel 


Hide specified 
Control Panel 
applets 


Show only 
specified 
Control Panel 
applets 


Description 


Enabling this policy prevents 
you from running Control 
Panel and removes it from 
the Start menu and from My 
Computer. 


This policy allows you to 
prevent certain items from 
appearing in Control Panel. 
A knowledgeable user can 
open these items from a 
command prompt, however. 


This policy provides the 
same protection as the 
preceding one: It causes 
certain items not to appear 
in Control Panel. (The 
difference is whether you 
want to specify only the 
items to hide or specify only 
the items to display.) 


User Configuration \Administrative 
Templates\Control Panel\ Display 


Policy Name Description 


Password Enabling this policy causes 

protect the all screen savers to be 

screen saver password-protected. That is, 
to restore the normal 
desktop when ascreen saver 
is displayed, the user must 
enter his or her password. 
Therefore, someone who 
leaves the computer for a 
time doesn’t leave its display 
open to anyone who walks 
by and jiggles the mouse. 
(However, no policy 
explicitly requires users to 
use a screen saver. If you 
want to do that, configure a 
screen saver and then 
enable the Hide Screen 
Saver Tab policy in this 
same folder, which prevents 
users from changing your 
screen saver configuration. ) 


User Configuration \Administrative 
Templates\System 


Prevent This policy prevents users 
access to the from running Cmd.exe 
command (Command Prompt), which 
prompt can be used to launch all 


manner of programs, good 
and bad. It also prevents 
batch programs (those with 
a .cmd or .bat file name 
extension) from running. 


Policy Name 


Prevent 
access to 
registry 
editing tools 


Run only 
allowed 
Windows 
applications 


Don’t run 
specified 
Windows 
applications 


Description 


This policy disables Registry 
Editor (Regedit.exe and, 
Regedt32.exe). 


If you really want to lock 
down your computer (such 
as in a kiosk application), 
you can use this policy to 
specify a list of programs 
that a user is allowed to run 
from the Start menu or 
Windows Explorer. 


With this policy, you can 
specify a list of programs 
that users are not allowed to 
run. 


User Configuration \Administrative 
Templates \System\Ctrl-Alt-Del Options 


Policy Name Description 


Remove Task Ordinarily, one of the 

Manager buttons in the Windows 
Security dialog box, which 
appears when you press 
Ctri+Alt+Delete, is one that 
opens Task Manager, a 
powerful application that lets 
you monitor and control 
running applications, among 
other things. Enabling this 
policy disables the Task 
Manager button in the 
Windows Security dialog 
box. It also prevents users 
from starting Task Manager 
by pressing Ctrl+Shift+Esc 
or running its executable 
file, Taskmgr.exe. 


User Configuration \Administrative 
Templates\System\Power Management 


Policy Name Description 


Prompt for If you enable this setting, 

password on the computer is locked when 

resume from it resumes after hibernating 

hibernate / or a suspended low-power 

suspend state. To gain access, the 
user who was logged on 
when the system shut down 
(or an administrator) must 
provide a password. If you 
use power management on 
a portable computer, you 
should enable this policy. 
Otherwise, someone who 
steals your computer might 
be able to pick up where you 
left off—logged in to your 
account. 


Group Policy settings take precedence 
over user settings (that is, settings 
that you make through Control Panel 
and other methods available to 
ordinary users). Group Policy settings 
are saved in different registry keys 
than settings made through other 
means. In cases of conflict, the value 
under the Policies key overrules the 
other. 


You might also notice that some 
policies appear in both User 
Configuration and Computer 
Configuration. If the settings conflict, 
the Computer Configuration setting 
always takes precedence. 


Using the Group Policy Snap-In 


The policies described in Tables 19-1, 19-2, and 
19-3 can all be viewed and modified using the 
Group Policy snap-in for MMC. A console 
containing this snap-in is included with Windows; 
the easiest way to open it is to type gpedit.msc 
at a command prompt. Figure 19-3 shows the 
Group Policy console. 


“-Figure 19-3. Group Policy in Windows XP 
includes an Extended tab, which displays a 
description of any policy you select in the 
Administrative Templates folders. 


Each policy in the Administrative Templates 
folders of Group Policy has one of three settings: 
Not Configured, Enabled, or Disabled. By default, 
all policies in the local Group Policy object are 
initially set to Not Configured. 


To change a setting, simply double-click the 
name of the policy to open its properties dialog 
box. The properties dialog box for each policy 
under Administrative Templates looks much like 
the one shown in Figure 19-4. The Setting tab 
(called Policy in Windows 2000) includes the Not 
Configured, Enabled, and Disabled options and an 
area where you can make policy-specific settings. 
(Many simple policies leave this area blank 
because the policy needs no further setting.) 
Controls in the center area appear dimmed unless 
you select the Enabled option. The Explain tab 
provides detailed information about the policy; 
the only place you're likely to find more 
information about each policy is in the Windows 
2000 Group Policy Reference, available online at 
http://www. microsoft.com/windows2000/techinfo 
/reskit/en-us/default.asp. (At the time of this 


book’s writing, a version updated for Windows XP 
was not yet available.) Both tabs include Previous 
Setting and Next Setting buttons (called Previous 
Policy and Next Policy in Windows 2000), which 
make it convenient to go through an entire folder 
without opening and closing the properties dialog 
box for each policy individually. 


“-Figure 19-4. The properties dialog box for 
any Administrative Templates policy is 
similar to the one shown here. 


Pay close attention to the name of 
each policy because the settings can 
be counterintuitive, particularly in 
Windows 2000. A number of policies 
begin with the word disable (for 
example, Disable Autoplay, a policy 
that’s included in Computer 
Configuration\Administrative 
Templates\System). For those policies, 
if you want to allow the specified 
option (Autoplay in this example), you 
must select the Disable setting. (In 
other words, you must disable the 
disabling policy.) Conversely, if you 
want to prohibit the option, you must 
select Enable. 


The potential for confusion is reduced 
in Windows XP because its designers 
have renamed many of the policies. 
For example, Disable Autoplay is now 
called Turn Off Autoplay. 


Using the Security Settings Extension 


You can use Group Policy to work with user 
rights, security options, and other settings within 
the Security Settings folder. You can avoid much 
of the clutter, however, by opening Local Security 
Settings (shown in Figure 19-1), a console that 
includes only the Security Settings extension for 
the Group Policy snap-in. 


You examine and set policies within the Security 
Settings extension in much the same way as you 
do for policies in the Administrative Templates 
folders. As shown in Figure 19-5, however, you'll 
discover that convenient touches such as the 
setting description and the Previous and Next 
buttons are missing. 


“-Figure 19-5. Aside from descriptive policy 
names, no help is available within the 
console. 


How Policies Are Applied 


When you configure a policy in the Security 
Settings folders, Windows immediately saves the 
information to the appropriate registry key. 
(Although the information is written to the 
registry immediately, some policy changes don’t 
take effect until you log off and then log back 
on.) 


Policy configuration changes in the Administrative 
Templates folders are applied indirectly. When 
you configure one of these policies (that is, you 
select either Enabled or Disabled and, optionally, 
set a value), Group Policy stores the information 
as a custom registry setting in one of the two 
Registry.pol files. AS you’d expect, Group Policy 
uses the copy of Registry.pol in 
%SystemRoot%\System32\GroupPolicy\Machine 
for settings you make in the Computer 
Configuration\Administrative Templates folder in 
Group Policy and uses the copy in User for 
settings you make in User 
Configuration\Administrative Templates. 


Computer-related Group Policy settings—those 
stored in Machine\Registry.pol—are copied to the 
appropriate registry keys in the HKLM hive when 
the operating system initializes and during a 
periodic refresh that occurs at intervals you 
define as a Group Policy setting. User-related 
settings (in User\Registry.pol) are copied to the 
appropriate keys in HKCU when a user logs on 
and during the periodic refresh. 


Troubleshooting 


You need detailed information 
about Local Security Settings 


policies 


If you need to find out more about the 
policies in the Security Settings 
extension, in addition to the 
information this book provides, online 
resources are available. (They’re just 
not easy to find.) You can find a 
detailed description of each policy in 
the following places: 


e In Windows XP, from 
either Group Policy or 
Local Security Settings, 
choose Action, Help. 
Click the Contents tab 
and then, in the 
Contents pane, open 
Security 
Settings\Concepts\Secur 
ity Setting 
Descriptions\Local 
Policies. From here, you 
can drill down to the 
policy of interest. 


e In Windows XP, use your 
Web browser to open 
http://www. microsoft.co 
m/technet/prodtechnol/ 
winxppro/proddocs/Local 
Policiestopnode.asp. 
Click links in the right 
pane to see the 
description of a 
particular policy. 


e In Windows 2000, use 
your Web browser to 
open 


http://www. microsoft.co 
m/windows2000/techinf 
o/reskit/en- 
us/default.asp. In the 
left pane, open Windows 
2000 Group Policy 
Reference\Computer 
Configuration\Windows 
Settings\Security 
Settings\Local Policies. 
Continue expanding the 
table of contents until 
you reach the policy you 
want. 


Make different settings for 
different users 


Centrally managed Group Policy 
settings—that is, those stored in 
Active Directory in Windows .NET 
Server or Windows 2000 Server—can 
be applied to individual users, 
computers, or groups of either. You 
can have multiple sets of Active 
Directory-based Group Policy objects, 
allowing you to create an entirely 
different collection of settings for 
different users or computers. 


Such is not the case with local Group 
Policy. Despite the (misleading) 
separate Computer Configuration and 
User Configuration folders, local Group 
Policy settings apply to all users who 
log on to the computer. You can’t have 
multiple sets of local Group Policy 
objects. 


Although you can’t customize settings 
for each of several different groups, 
you can effectively have two groups of 
users: those who are affected by local 
Group Policy settings and those who 
are not. This duality affects only the 
User Configuration settings; Computer 
Configuration settings are applied 
before anyone logs on. 


You can do this because local Group 
Policy depends on users having read 
access to the local Group Policy object, 
which is stored in the 
%SystemRoot%\System32\GroupPolic 
y folder. Policies are not applied to 
users who do not have read access; 
therefore, by denying read access to 
administrators or others whom you 
don’t want to restrict, you free those 
users from restrictions in local group 
policies. To use this method, do the 
following: 


1. Make the Group Policy 
setting changes. 


2. In Windows Explorer, 
choose Tools, Folder 
Options. On the View 
tab, select Show Hidden 
Files And Folders. If 
you're using Windows XP 
Professional, clear the 
Use Simple File Sharing 
(Recommended) check 
box. Click OK. 


3. Right-click the 
%SystemRoot%\System 


32\GroupPolicy folder 
and choose Properties. 


4. On the Security tab of 
the GroupPolicy 
Properties dialog box, 
select the Administrators 
group, and select the 
Deny check box for the 
Read permission. (If you 
want to exclude any 
other users or groups 
from Group Policy 
control, add them to the 
list of names and then 
deny their Read 
permission. ) 


5. Restore the Folder 
Options settings (the 
ones you set in step 2) 
to their previous states. 


At your next logon using one of the 
user accounts for which you denied 
read access, you'll find that you're no 
longer encumbered by Group Policy 
settings. Without Read permission, 
however, you’re also unable to run 
Group Policy—so you can’t view or 
modify Group Policy settings. To 
regain that power, you need to revisit 
the GroupPolicy Properties dialog box 
and grant yourself Full Control 
permission. 


If using group membership as the 
basis for customizing the effects of 
Group Policy settings is important to 
you, you should install Windows .NET 


Server or Windows 2000 Server and 
set up Active Directory. The methods 
described here can provide an easy 
compromise in the meantime. 


Starting Group Policy for a Remote 
Computer 


When you start Group Policy as described earlier 
in this chapter, it displays the local GPO for your 
computer. You can, however, start Group Policy 
with its gaze turned toward another computer. To 
do that, you must have administrative privileges 
on both your own computer and the other 
computer. You can use either of two methods to 
start Group Policy for a remote computer: a 
command-line parameter or a custom MMC 
console. 


Running Group Policy remotely 
provides full access to the policies in 
the Administrative Templates folders, 
allowing you to administer all the 
computers on your network from a 
single console. However, you can’t 
manage the policies in the Security 


Settings folder remotely. To work with 
those policies, you must work directly 
at each workstation (unless you have 
Windows 2000 Server or Windows 
.NET Server and domain-based 


The simplest method is to append the 
/Gpcomputer parameter to the command for 
running Group Policy, as in this example: 


gpedit.msc /gpcomputer:"redwood" 


The computer name that follows /Gpcomputer 
can be either a NetBIOS-style name (as shown 
here) or a DNS-style name (for example, 
redwood.swdocs.com), which is the primary 
naming format used by Windows 2000 Server 


and Windows .NET Server domains. In either 
case, you must enclose the computer name in 
quotation marks. 


An alternative is to create a custom console that 
opens the local Group Policy object on another 
computer. The advantage of this approach is that 
you can create a single console that can open 
Group Policy on each computer you want to 
manage. To create a custom console, do the 
following: 


1. At a command prompt, type mmc. 


2. Open the File menu (the Console 
menu in Windows 2000), and then 
choose Add/Remove Snap-In. 


3. On the Standalone tab, click Add. 
4. Select Group Policy and click Add. 


5. In the Select Group Policy Object 
dialog box, click Browse. 


6. On the Computers tab, select 
Another Computer, and then type 
the name of the computer or click 
Browse to select it from a list. 


7. Click OK and then click Finish. 


8. Repeat steps 4 through 7 to add 
other computers to the console. 


9. Click Close and then click OK. 


Local Group Policy vs. Active 
Directory-Based Group Policy 


Group Policy is primarily a feature for 
domain-based networks that use 


Active Directory in Windows 2000 
Server or Windows .NET Server. In an 
Active Directory-based domain, Group 
Policy objects are stored at the 
domain level and affect users and 
computers on the basis of their 
membership in sites, domains, and 
organizational units. (A Group Policy 
object, or GPO, is simply a collection 
of Group Policy settings.) Each 
computer running Windows XP 
Professional or Windows 2000 (any 
version) has a single local Group 
Policy object, which is the one we 
focus on in this book. If your computer 
is part of a Windows 2000 Server- 
based network, it might be affected by 
Group Policy settings other than those 
you set in the local Group Policy 
object. Group Policy settings are 
applied in this order: 


1. Settings from the local 
Group Policy object 


2. Settings from site Group 
Policy objects, in 
administratively 
specified order 


3. Settings from domain 
Group Policy objects, in 
administratively 
specified order 


4. Settings from 
organizational unit 
Group Policy objects, 
from largest to smallest 
organizational unit 


(parent to child 
organizational unit), and 
in administratively 
specified order at the 
level of each 
organizational unit 


Policies applied later overwrite 
previously applied policies, which 
means that if settings conflict, the 
highest-level Active Directory-based 
policy settings take precedence. The 
policy settings are cumulative, so all 
settings contribute to the effective 


policy. 


Using Security Templates 


If you decide to change some of the default settings for the policies shown in 
Tables 19-1 and 19-2, you can make the changes in Group Policy or in Local 
Security Settings, as described in the preceding sections. If you want to apply 
the same changes to a number of computers in your network, however, making 
the settings can be tedious. In this common situation, you’re better off using 
security templates, files that contain preconfigured security settings for various 
purposes. You can also use security templates to restore your security settings 
to a known condition if experimentation with various settings has compromised 
your secure system. A security template can contain the following types of 
settings: 


e Account Policies, including Password Policy and Account Lockout 
Policy settings. (For details about these settings, see Table 3-3. 
Password Policies and Table 3-4. Account Lockout Policies.) 


Local Policies, including Audit Policy, User Rights Assignment, and 
Security Options settings. (See Table 20-1. Audit Policies for 
Security Events, Table 19-1. User Rights Assignment Policies, and 
Table 19-2. Security Options Policies.) 


Event Log. (See Viewing the Log_of Security Events. ) 
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e System Services, which determines the startup type for each 
service. (For information about services, see Table 17-2. 
Windows Services) 


Registry, which sets permissions on registry keys. (See 
Configuring Permissions on Folders, Files, and the Registry. ) 


File System, which sets permissions on folders and files. (See 
Configuring Permissions on Folders, Files, and the Registry.) 


Distribute local Group Policy settings 


Security templates do not include settings for policies in Group 
Policy’s Administrative Templates folders, including the settings 
shown in Table 19-3. Therefore, you can’t use security templates to 
apply those settings to other computers. (The ability to centrally 
manage and apply Group Policy settings is one of the strengths of 
domain-based networks that use Windows 2000 Server or Windows 
.NET Server.) 


However, you can promulgate your policy settings to other 
computers relatively easily: After you make the necessary changes 
on one computer, simply copy the Registry.pol files to each 
computer on which you want to apply the policies. For the settings 
in Computer Configuration\Administrative Templates, copy 
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol to the 
same folder on the target machine. For the User 
Configuration\Administrative Templates settings, copy the 

Registry. pol file stored in 
%SystemRoot%\System32\GroupPolicy\User. 


Security templates are saved as ordinary text files with a .inf file name 
extension. By default, they're stored in %SystemRoot%\Security\Templates. 
Although you could edit these plain-text (but rather cryptic) files in Notepad or 


another text editor, you don’t need to. The Security Templates snap-in for MMC 
provides a much better and easier means to view, modify, create, and delete 


security templates. 


Each security template that comes with Windows is configured for specific 
purposes. You can use one of these templates as is, modify it, or create a new 
one from scratch. Table 19-4 describes the templates included with Windows 
XP Professional and Windows 2000 Professional. 


Table 19-4. Security Templates Included with Windows 


Template Windows Windows 
Name XP 2000 


Basicdc, Yes 
Basicsv, 

and 

Basicwk 


Compatws Yes Yes 


Hisecdc Yes Yes 
and 
Hisecws 


Ocfiless Yes 
and 
Ocfilesw 


Description 


These templates configure a moderate 
level of security—slightly higher than 
an out-of-the-box installation—by 
setting a number of security options, 
configuring startup services, and 
applying permissions to registry keys 
and folders. They’re intended for use 
on domain controllers (basicdc), stand- 
alone servers (basicsv), and 
workstations (basicwk). 


This template removes all users from 
the Power Users group and relaxes the 
default permissions for members of the 
Users group. This setting allows 
members of the Users group to run 
certain applications that aren’t properly 
designed for Windows security, without 
granting them the additional 
administrative privileges (such as the 
ability to create user accounts) granted 
to Power Users. 


These templates are intended for 
configuring a highly secure domain. 
They include all the settings in the 
Securedc and Securews templates, plus 
additional settings that require more 
secure authentication, restrict security 
group membership, and require data 
signing and encryption in most network 
communications. Hisecdc is intended 
for domain controllers; Hisecws is for 
workstations. 


These templates apply default file 
permissions to all folders and files 
included with Windows 2000 Server 
and Windows 2000 Professional, 
respectively. 


Tena a a S Description 

Rootsec Yes This template applies permissions to 
the root folder of the system drive, 
using the permissions introduced with 
Windows XP. If you inadvertently 
change those permissions, this 
template provides a quick and easy 
way to restore the default permissions. 
The permissions propagate to all child 
objects that inherit permissions from 
the parent, but they aren't applied to 
child objects for which explicit 
permissions have been set. 


Securedc Yes Yes These templates configure strong 

and password, lockout, and audit settings; 

Securews require the use of strong authentication 
protocols; restrict anonymous users; 
and configure Server Message Block 
(SMB) packet signing. They're intended 
for creating secure domains. Use 
Securedc on domain controllers and 
Securews on workstations. 


Setup Yes Yes This template contains the default 

Security security settings that were applied 
when Windows was set up on your 
computer. As such, it makes a good 
disaster-recovery template, allowing 
you to easily go back to the original 
Windows configuration. 


Except for Setup Security.inf, none of the furnished templates 
includes a complete set of security settings. Instead, they're 
designed to modify only a specific subset while leaving other 
settings unchanged. 


Restore default NTFS permissions with a hidden template 


Windows includes another template, Defltwk.inf, that includes all the 
default security settings (including NTFS permissions, user rights 
assignments, policies, registry permissions, and so on) as originally 
configured by Microsoft for a clean installation of Windows on a new 
machine. (For a number of reasons, some of these settings might 
be different from the settings in Setup Security.inf.) Unlike the other 
predefined templates, Defltwk.inf is stored in %SystemRoot%\Inf, a 
hidden folder. Because of its storage location, it doesn’t appear by 
default in the Security Templates snap-in—where it’s more likely to 
get changed inadvertently. Instead, Defltwk.inf (and its companion 
for servers, Defltsv.inf) is intended to be used only with Security 
Configuration And Analysis or Secedit.exe, the tools for analyzing 
current settings and applying settings. Read more about Defltwk.inf 
in Knowledge Base article Q266118. (The article refers only to 
Windows 2000, but Defltwk.inf is also included with Windows XP.) 


Using the Security Templates Snap-In 


Security Templates is an MMC snap-in that allows you to view and edit security 
templates. No console furnished with Windows includes the Security Templates 
snap-in; you'll have to create your own, as follows: 


1. At a command prompt, type mmc. 


2. Open the File menu (the Console menu in Windows 2000), and 
then choose Add/Remove Snap-In. 


3. On the Standalone tab, click Add. 
4. Select Security Templates, and then click Add. 


5. Click Close, and then click OK in the Add/Remove Snap-In dialog 
box. 


By default, the Security Templates snap-in displays the templates stored in 
%SystemRoot%\Security\Templates, as shown in Figure 19-6. To view 
templates stored in another folder, including those stored on a network drive, 
right-click Security Templates in the console tree and choose New Template 
Search Path. 


Figure 19-6. The Security Templates snap-in lets you set permissions 
on folders and files and make other security settings. 


To create a new template, in the console tree, right-click the folder where you 
want to store the template and choose New Template. Enter a name and, 
optionally, a description of the template. You can view the description for a 
template in two ways: 


e In the console tree, select the folder that contains the templates. 
The description of each template appears next to its name in the 
details pane. 


e Right-click a template name (in the console tree or the details 
pane) and choose Set Description. 


If you want to modify the settings in an existing template and also want to 
keep the original template unchanged, right-click the template name and 
choose Save As. After you specify a name for your copy of the template, it 
appears in the console tree. Note that none of the changes you make to a 
template are saved to disk unless you select the template and choose Action, 
Save or right-click a template name and choose Save. (The Save command on 
the File menu saves the console layout and settings—not the template 
settings.) If you have unsaved templates when you close the MMC console, 
Windows asks which of these templates you want to save. Select the ones you 
want to save and click Yes. 


The Security Templates snap-in is a tool for viewing and modifying 
templates only. Changes you make in the snap-in are saved in 
template files, but this snap-in does not apply template security 
settings to a computer. To apply the settings in a template, use the 
procedures described in Applying Template Settings. 


Reviewing Account Policies, Local Policies, Event Log, and 
System Services Settings 


In the Security Templates snap-in, expand the folders in the tree pane until the 
policy in which you are interested is displayed in the details pane. Then double- 
click the policy name to open the properties dialog box; Figure 19-7 shows an 
example. If you want the policy to be controlled by the security template, 
select Define This Policy Setting In The Template and then specify the setting 
you want. Your choices for policy setting depend on the specific policy. (For 
example, some policies require you to select among two or more option 
buttons, whereas others provide a text box or spinner control with which you 
can specify a numeric value.) 


“Figure 19-7. The properties dialog box for each policy has options 
comparable to those in the Local Security Settings console. 


Controlling Security Group Membership 


With restricted groups policies, you can control membership in security groups. 
When you apply a security template with restricted groups policies, any user 
accounts that are currently members of a group whose membership is 
restricted are removed from that group. For example, if you create a restricted 
group policy for Administrators that includes only Ed and Carl in that group, 
applying the template adds Ed and Carl to the group (if they’re not already 
members) and removes all other accounts. Restricting group membership in 
this way is a one-shot deal; administrators can subsequently add or remove 
members from the group. 


To add a group to the list of restricted groups, right-click Restricted Groups and 
choose Add Group. In the Add Group dialog box, type the name of the security 
group you want to add, or click Browse to display a list of all security groups. 
(In Windows XP, click Advanced and then click Find Now to display the list.) 


To control the membership of a restricted group, double-click the group name 
to display the properties dialog box for the group, as shown in Figure 19-8. 
Next to the Members Of This Group box, click Add. In the Add Member dialog 
box, type the user name you want, or click Browse to display a list of user 
names. You can separate multiple names with semicolons, or you can simply 
repeat the process to add other names. 


“Figure 19-8. After applying the template, only user accounts listed in 
the top box remain in the group; if no names appear, the group is empty. 


Configuring Permissions on Folders, Files, and the Registry 


The File System and Registry sections of a security template let you apply 
permissions to folders, files, and registry keys, overriding any permissions 
currently protecting the items you specify. Just as you can within Windows 
Explorer and Registry Editor, you can specify a discretionary access control list 
(DACL), which grants (or denies) access permissions to users and groups. You 
can also specify a system access control list (SACL), which specifies the 
security events to be recorded in the Security log. 


For information about permissions on folders and files, see Using 
NTFS Permissions for Access Control. For information about applying 
permissions within Registry Editor and the effect of registry 
permissions, see Restricting Access to the Registry. 


If the folder or file on which you want to configure ACLs does not appear in the 
details pane when you select File System, right-click File System (or right-click 
an empty area of the details pane) and choose Add File. The Add File command 
opens the Add A File Or Folder dialog box, which lets you browse all folders and 
files in My Computer. The steps for adding a registry key are similar: Right-click 
Registry and choose Add Key. In the Select Registry Key dialog box, you can 
expand the registry hierarchy and select the key you want to configure. 


When the folder, file, or registry key of interest appears in the details pane, 
simply double-click it to configure it. A dialog box similar to the one shown in 
Figure 19-9 appears. To set ACLs, select the first option button and then 
specify how you want to set permissions on child objects (subfolders and files 
within the specified folder, or subkeys within the specified registry key). The 
options to propagate inheritable permissions and replace existing permissions 
correspond to the similarly worded options in the Advanced Security Settings 
dialog box, which opens when you click the Advanced button on the Security 
tab in Windows Explorer or Registry Editor. 


“Figure 19-9. The dialog box for setting registry key permissions is 
nearly identical to this one. Minor wording variations refer to keys instead 
of files and folders. 


Select Do Not Allow Permissions On This File Or Folder To Be Replaced if you 
want to ensure that permissions on this folder, file, or key are not changed 
when a security template is applied. Why not just omit this object name from 
the Registry or File System folder in the template? This option prevents 
changes that might be inflicted through inheritance by settings on a parent 
object. 


Finally, of course, you need to specify the permissions for the object. Click Edit 
Security, and you'll see a dialog box that includes a Security tab just like the 
one in Windows Explorer or Registry Editor. This dialog box shows the object’s 
current security settings. 


Applying Template Settings 


After you've configured a template to include the settings you want, you can 
apply the settings to your local computer. You do this with Security 
Configuration And Analysis, an MMC snap-in that manages a database of 
security settings from one or more templates. You can also use this snap-in to 
compare your current settings to those in the database. 


Before you apply your template settings, you might want to analyze 
your configuration to see what differences exist between your 
current settings and the settings in your security template. For 
details, see Analyzing System Security. 


To use Security Configuration And Analysis, you must add it to an MMC 
console. Use the same procedure as described for Security Templates; for 
Configuration And Analysis snap-in looks like no other, displaying only an 
empty console tree and, in the details pane, sparse instructions for tasks 
whose purpose isn’t clear. 


To house all your security-management tools in one place, create a 
console that includes the Group Policy, Security Templates, and 
Security Configuration And Analysis snap-ins. Save the console in 
your Administrative Tools folder. 


Go ahead and follow these instructions: 


1. Right-click Security Configuration And Analysis and choose Open 
Database. 


2. In the Open Database dialog box, type a name for a new 
database and then click Open. (If you want to use a database 
that you’ve created previously, select it instead.) 


3. In the Import Template dialog box, select a security template and 
then click Open. 


4. If you want to import another security template into the 
database, right-click Security Configuration And Analysis and 
choose Import Template. 


Now you're ready to actually apply your settings. Right-click Security 
Configuration And Analysis and choose Configure Computer Now. In the 
Configure System dialog box, type the path and name for a log file if you don’t 
want to accept the default file. Click OK. (Why it’s called an error log file is 
another mystery of Security Configuration And Analysis; it’s a log of all 
configuration actions, not only errors.) Windows applies your settings, and 
you're once again left at the same cryptic console display. To see what’s 
occurred, right-click Security Configuration And Analysis and choose View Log 
File; the log file appears in the details pane. 


Apply template settings with Secedit.exe 


You might find it convenient to apply template settings with 
Secedit.exe, a command-line utility. This utility can make applying 
settings on multiple computers easier. You could, for example, store 
the security database (.sdb) file on a shared network drive, along 
with a one-line batch program that applies the settings. A 
command-line utility also makes it easy to set up security 
configuration as a scheduled task. 


Before you use Secedit, you must create a security database file 
with Security Configuration And Analysis, as described in the 
numbered steps in the preceding section. Then, to apply your 
settings, use the command secedit /configure /db databasefile, 
where databasefile is the path and name (including extension) of 
the database file. You can omit the path if the database is in the 
current directory. For example, if you leave the security database 
file in the default location, you’d enter the following: 


secedit /configure /db 


wo 


Suserprofile%\my documents\security\database\mysettings 


With additional command-line parameters, you can instruct Secedit 
to apply only certain types of settings specified in the database, 
control the location and display of the log file, and set other options. 
In addition, you can use Secedit to compare your computer settings 
with security database settings, extract a security template file from 
a security database, and more. For details, type secedit /? ata 
command prompt. 


Analyzing System Security 


The Security Configuration And Analysis snap-in 
has that name for a reason: In addition to 
applying template settings (configuration), it 
compares a computer's current security settings 
with those in a security database file (analysis). 
This comparison provides an easy way to 
comprehensively review security settings. You 
can see which settings have been changed, how 
your computer compares with one of the highly 
secure template configurations, and so on. 


To perform an analysis, open Security 
Configuration And Analysis in MMC and then 
create or open a security database. (See the 
preceding section, Applying Template Settings, 
for details.) Right-click Security Configuration 
And Analysis and choose Analyze Computer Now. 
In the Perform Analysis dialog box, modify the 
log file name if you want and then click OK. After 
the analysis is complete, the console tree sprouts 
new branches, identical to those in a template in 
the Security Templates snap-in. 


For each policy in the Account Policies, Local 
Policies, and Event Log folders, the details pane 
shows the database setting and the current 
computer setting. A symbol in a policy’s icon 
indicates at a glance the results of the analysis of 
that policy: 

“A circled green check mark indicates that the 
two settings match. 


“-An X in a red circle identifies policies in which 
the database setting differs from the computer 
setting. 
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A circled exclamation point or question mark 
indicates that the computer setting was not 
analyzed; that typically occurs on policies that 
are relevant only on a domain controller. 


Double-click a policy to see its properties dialog 
box, shown in Figure 19-10. The dialog box 
displays the current settings for the computer 
and in the database. If you want to change the 
setting in the database, select Define This Policy 
In The Database, make your setting, and click 
OK. 


“.Figure 19-10. The properties dialog box 
for a policy initially shows the value in the 
security database. You can change the 
database value if you want to. 


Differences between the database settings and 
computer settings in the Restricted Groups, 
System Services, Registry, and File System 
folders are indicated with icons similar to those 
just shown. Instead of displaying the settings in 
the details pane, however, Security Configuration 
And Analysis displays the word Investigate 
alongside items with differences. Double-click any 
such items in the Restricted Groups or System 
Services folder to display a properties dialog box, 
similar to the dialog box shown in Figure 19-10, 
that shows both settings and allows you to 
modify the database setting. 


Security Configuration And Analysis has another 
quirk as well. Double-clicking an item in the 
Registry or File System folder doesn’t open the 
properties dialog box unless the item is at the 
bottom of the hierarchy. To view the properties 
dialog box for a folder or a key that has child 
objects, right-click it and choose Properties. 


Chapter 20 


Monitoring Security Events 


You can’t keep an eye on your computer—let 
alone all the other computers on your network— 
all the time. Although you might have put in 
place all the proper safeguards to protect your 
data from unauthorized access (such as strong 
passwords, appropriate permissions, and a 
firewall), you can’t be sure that those safeguards 
are always working properly. By taking advantage 
of improper settings inadvertently made by a 
user or simply by making a determined effort, an 
attacker might still gain access to resources that 
should be off limits. 


Fortunately, Microsoft Windows XP Professional 
and Microsoft Windows 2000 provide the ability 
to audit your security setup, by recording 
attempts to access objects on the system, and by 
recording security-sensitive changes to the 
system’s configuration. When properly 
configured, Windows monitors usage of a 
computer, allowing you to spot any unauthorized 
events or other security lapses. Using this 
information, you can plug any security holes to 
prevent a recurrence. 


Windows records security events in the Security 
log, one of three logs that you can peruse in 
Event Viewer. (The others are the Application log 
and the System log. Computers running Microsoft 
Windows 2000 Server might have additional logs, 
including Directory Service, DNS Server, and File 
Replication Service.) In this chapter, we explain 
how to configure your system to audit security 
events, offer some suggestions on which events 
to audit, and show you how to work with the 
Security log in Event Viewer. 


Auditing Security Events 


Auditing tracks the activities of users and 
security-sensitive changes to the system by 
recording in the Security log the events that you 
specify. For example, you can choose to audit 
failed logon attempts, which might indicate that 
someone is trying to log on with an invalid 
password (perhaps using a program to automate 
the attack). Or you might want to monitor the 
use of a particularly sensitive file. You can also 
choose to monitor changes to user accounts and 
passwords, changes to security policies, and use 
of privileges that might reveal that someone is 
trying to “administer” your computer—perhaps 
not with your best interests in mind. 


Enabling Security Auditing 


Unlike the other logs that appear in Event Viewer, 
the Security log is disabled by default in Windows 
XP Professional and Windows 2000. No events 
are written to the Security log until you enable 
auditing, which you do via Local Security 
Settings. (In Windows XP Home Edition, security 
auditing is enabled for certain events. Because 
Home Edition doesn’t include Local Security 
Settings, you cannot change which events are 
audited unless you use a tool like Auditpol.exe, 
which is included in the Windows 2000 Resource 
Kit.) Even if you set up auditing for files, folders, 
or printers, as explained later in this chapter, the 
events you specify aren’t recorded unless you 
also enable auditing by setting a high-level audit 
policy in Local Security Settings. 


To enable auditing, you must be 
logged on with an account that has 
the Manage Auditing And Security Log 


privilege. By default, only members of 
the Administrators group have this 
privilege. For information about 
privileges, see Exploring 


To enable auditing, follow these steps: 


1. In Control Panel, open 
Administrative Tools, Local Security 
Policy. (If you use Category view in 
Windows XP, you'll find 
Administrative Tools under 
Performance And Maintenance.) 
Alternatively, you can type 
secpol.msc at a command prompt. 


2. In the console tree, select Security 
Settings\Local Policies\Audit Policy. 


3. Double-click each policy for which 
you want to enable auditing, and 
then select Success, Failure, or 
both. Figure 20-1 shows the 
properties dialog box for an audit 
policy. 

“-Figure 20-1. You enable 
auditing using the Local 
Security Settings console. 


Figure 20-1 also shows the types of activities you 
can audit. Some, such as account management 
and policy change, provide an audit trail for 
administrative changes. Others, such as logon 
events and object access, help you monitor who 
is attempting to use your system. Still others, 
including system events and process tracking, 
can assist you in locating problems with your 
system. Table 20-1 provides more details. 


Table 20-1. Audit Policies for Security Events 


Policy Description 
Audit Account logon events occur 
account when a user attempts to log 


logon events on or log off across the 
network, authenticating to a 
local user account. 


Policy 


Audit 
account 
management 


Audit 
directory 
service 
access 


Audit logon 
events 


Audit object 
access 


Audit policy 
change 


Description 


Account management events 
occur when a user account or 
security group is created, 
changed, or deleted; when a 
user account is renamed, 
enabled, or disabled; or when 
a password is set or changed. 


Directory service access 
events occur when a user 
attempts to access an Active 
Directory object. (If your 
computer is not part of a 
Windows domain, these 
events won’t occur.) 


Logon events occur when a 
user attempts to log on or log 
off a workstation interactively. 


Object access events occur 
when a user attempts to 
access a file, folder, printer, 
registry key, or other object 
that is set for auditing. 


Policy change events occur 
when a change is made to 
user rights assignment 
policies, audit policies, trust 
policies, or password policies. 


Policy Description 


Audit Privilege use events occur 

privilege use when a user exercises a user 
right (other than logon, 
logoff, and network access 
rights, which trigger other 
types of events). 


Audit Process tracking includes 
process events such as program 
tracking activation, handle duplication, 


indirect object access, and 
process exit. Although this 
policy generates a large 
number of events to wade 
through, it can provide useful 
information, such as which 
program a user used to 
access an object. 


Audit system System events occur when a 

events user restarts or shuts down 
the computer or when an 
event affects the system 
security or the Security log. 


In Windows XP Home Edition, account 
logon, account management, logon, 
policy change, and system events are 
audited for both successful incidents 
and failed attempts. You cannot 


enable auditing for directory service 
access, object access, privilege use, or 
process tracking events, or disable the 
categories that are already enabled, 
without additional tools. 


Local Security Settings has some additional 
policies that affect auditing, but they’re not in the 
Audit Policy folder. Instead, look to the Security 
Settings\Local Policies\ Security Options folder for 
these policies: 


e Audit: Audit the user of Backup 
and Restore privilege. Enable this 
policy if you want to know when 
someone uses a backup program to 
back up or restore files. To make 
this policy effective, you must also 
enable Audit Privilege Use in the 
Audit Policy folder. 


e Audit: Shut down system 
immediately if unable to log 
security audits. For details about 
this extreme security policy, see the 
sidebar Ensuring That You Don’t 
Miss Any Security Events. 


e Audit: Audit the access of global 
system objects. This policy affects 
auditing of obscure objects 
(mutexes and semaphores, for 
example) that aren’t used in most 
home and small business networks; 
you can safely ignore it. 


In Windows 2000, the word “Audit:” 
does not precede the policy names. 


Configuring Auditing of Access to Files, 
Printers, and Registry Keys 


If you want to audit use or attempted use of 
certain files, folders, printers, registry keys, or 
other objects, you must select Success, Failure, 
or both options in the Audit Object Access policy, 
as described in the preceding section. Then you 
must set auditing options for the particular 
objects you want to monitor, as described in the 
following paragraphs. (In general, it’s best to 
select both Success and Failure in the Audit 
Object Access policy, and then be more selective 
when you configure auditing options for each 
object. ) 


Because you can’t make Audit Object 
Access policy settings in Windows XP 
Home Edition, you won't be able to 
audit access to files, printers, and 
other objects. Even if you know the 


trick to bypass Simple File Sharing 
(boot into Safe Mode), which would 
allow you to make audit settings for 
an object, those settings have no 
effect without the high-level policy in 
place. 


Windows can audit a variety of events and can 
audit different events for different users. You 
must be logged on as a member of the 
Administrators group (or the Manage Auditing 
And Security Log right must have been assigned 
to your logon account) to set up auditing of 
objects. 


If you want to audit access to files or 
folders, those objects must be stored 


on an NTFS volume; FAT volumes do 
not support auditing. 


Use the Security tab in the properties dialog box 
for a file, folder, printer, or registry key to display 
the audit settings for that object. You can specify 
the users and groups whose access to the 
selected object you want to audit; and for each 
user and group, you can specify which types of 
access should generate entries in the Security 
log. You should audit the minimum number of 
accesses necessary to accomplish your logging 
goal. For instance, if you want to audit changes 
to permissions, the only access you need to audit 
is Write Permissions. 


To set up auditing for object access, follow these 
steps: 


1. If you haven’t done so already, visit 
Local Security Settings to enable 
auditing. Be sure to set the Audit 
Object Access policy to track both 
success and failure. (See the 
preceding section, Enabling 
Security Auditing. ) 


2. If you use Windows XP Professional 
and your computer is not a member 
of a domain, choose Tools, Folder 
Options in Windows Explorer. Click 
the View tab and then clear the Use 
Simple File Sharing 
(Recommended) check box. Click 
OK. Disabling Simple File Sharing 
allows the Security tab to appear 
when you look at the properties 
dialog box for a file, folder, or 
printer. (You can skip this step if 


you’re configuring auditing for a 
registry key.) 


After you make the 
appropriate audit 
settings for various 
objects (as described in 
the following steps), you 
can restore Simple File 
Sharing by returning to 
Folder Options and 
selecting the same 
check box. Although the 
Security tab will no 
longer be visible in the 
properties dialog box for 
files, folders, and 
printers, the audit 
settings you have made 
remain in effect. 


3. Display the Security tab for the 
object, as follows: 


e For a file or folder, 
right-click the object 
in Windows Explorer 
and choose 
Properties. In the 
properties dialog box, 
click the Security tab. 


e For a printer, right- 
click the printer in the 
Printers folder (in 
Control Panel) and 
choose Properties. In 
the properties dialog 
box, click the Security 
tab. 


e For a registry key in 
Windows XP, right- 
click the key in 
Registry Editor (that 
is, a folder icon in the 
tree pane—not a 
registry value in the 
right pane) and 
choose Permissions. 


For a registry key in 
Windows 2000, open 
Regedt32.exe (not 
Regedit.exe), select 
the key, and choose 
Security, Permissions. 


4. Click the Advanced button to open 
the Advanced Security Settings 
dialog box (in Windows 2000, the 
Access Control Settings dialog box). 


5. Click the Auditing tab. For each 
object, you can specify different 
audit settings for different users. 


67°Click Add to add a new user or 
group, or select an existing user or 
group and then click Edit to change 
its audit settings. 


If you click Add, the Select User Or 
Group dialog box appears. You 
enter the names of user accounts 
or security groups the same way 
you do on the Security tab. (For 
details, see Setting NTFS 
Permissions Through Windows 
Explorer.) Click OK. 


7. In the Auditing Entry dialog box, 
select the types of access you want 
to audit for the selected user or 
group. 


The types of access you can audit 
for success or failure are the same 
types of access for which you can 
set permissions; specifically, the list 
of auditing permissions matches the 
object’s list of special permissions. 
Figure 20-2 shows the options for 
different object types. 


For information about 
special permissions for 


files and folders, see 
Basic and Advanced 
Permissions. 


If you select the Successful check 
box for a specific type of access, 
Windows generates a Security log 
record containing (among other 
information) the date and time of 
each successful use of the specified 
file or folder by the specified user 
or group. Similarly, if you select the 
Failed check box, Windows 
generates a Security log record 
each time the specified user or 
group unsuccessfully attempts to 
access the specified file or folder. 


“-Figure 20-2. The types of 
access you can audit are the 
same as those for which you 
can set permissions. For each 
type of access, you can audit 


successful accesses, failed 
attempts, or both. 


8. If you’re making audit settings for 
an object other than a file, select 
the scope of the objects you want 
to audit from the Apply Onto list. 
Click OK. 


9. On the Auditing tab of the 
Advanced Security Settings dialog 
box, you can select inheritance 
options. These options work exactly 
like (but independent of) the 
comparable options on the 
Permissions tab. For more 
information, see Applying 
Permissions to Subfolders Through 
Inheritance. 


Change audit settings for multiple 
objects in one fell swoop 


You can change audit settings for 
multiple files or folders (but not 
printers or registry keys) 
simultaneously. If you select more 
than one file or folder in Windows 
Explorer before you click the Security 
tab in the properties dialog box, the 
changes you make affect all the 
selected files or folders. If the existing 
security settings are not the same for 
all the items in your selection, a 
message appears, asking whether you 
want to reset the audit settings for the 
entire selection. 


Deciding What to Audit 


Avoid auditing if you don’t need it. Security 
audits, like tax audits, can be time-consuming 
and can waste a lot of resources. When you 
enable auditing, the system must write an event 
record to the Security log for each audit check 
the system performs. This activity can degrade 
your computer’s performance, so you'll want to 
be selective about which events you choose to 
monitor. In addition, indiscriminate auditing adds 
to the log many events that might be of little 
value to you, thereby making the real security 
issues more difficult to find. And because the 
Security log has a fixed size, filling it with 
unimportant events could displace other, more 
significant events. 


Here are some suggestions for what you should 
consider auditing: 


e Audit failed logon attempts, which 
might indicate that someone is 
trying to log on with various invalid 
passwords. 


e If you’re concerned about someone 
using a stolen password to log on, 
audit successful logon events. 


To detect use of sensitive files (such 
as a payroll data file, for example) 
by unauthorized users, audit 
successful read and write access as 
well as failed attempts to use the 
file by suspected users or groups. 


If you use your computer as a Web 
server, you'll want to know whether 


an attacker has defaced your Web 
pages. By auditing write access to 
the files that make up the Web 
pages, you'll know whether your 
site has been vandalized. 


e Logging printer failures quickly 
identifies people who attempt to 
access a printer for which they 
don’t have permission. You might 
also want to log successes (at least 
for users or groups suspected of 
abusing the privilege) to determine, 
for example, who’s using all the 
expensive color ink cartridges. 


e To detect virus activity, audit 
successful write access to program 
files (files with .exe, .com, and .dll 
file name extensions). 


e If you’re concerned that someone is 
misusing administrative privileges, 
audit successful incidents of 
privilege use, account 
management, policy changes, and 
system events. 


Troubleshooting 


No security event is recorded for 
some logon failures. 


If you audit account logon failures, 
you might discover that certain failed 
logon attempts don’t appear in the 
Security log. In particular, if an 
account is locked out because of too 
many incorrect password entries, the 
user’s next attempt should generate 


an event with ID 642 and the 
description “account locked out.” 
Although this works as expected with 
domain-based accounts, failed logon 
attempts using a locked-out local user 
account don’t generate the error. This 
is a bug in Windows 2000, and a patch 
is available. For details, see Microsoft 
Knowledge Base article Q314786. 


Viewing the Log of Security 
Events 


Windows records the security events that you’ve 
chosen to audit in the Security log. To view the 
Security log, you use Event Viewer, a Microsoft 
Management Console snap-in. The Event Viewer 
snap-in is in Computer Management, under 
System Tools. Windows also offers an uncluttered 
view in a predefined console that contains only 
the Event Viewer snap-in. To open this console, 
go to Control Panel, Administrative Tools, Event 
Viewer, or simply type eventvwr.msc at a 
command prompt. You can use Event Viewer to 
examine any of the three logs: Application 
(Appevent.evt), Security (Secevent.evt), or 
System (Sysevent.evt). If you select the Security 
log, you'll see a window similar to the one shown 
in Figure 20-3. 


“-Figure 20-3. The Security log can show at 
a glance that an unauthorized user has 
attempted to access an object. 


Events in the Security log are displayed with one 
of two icons: 


“Indicates a successful performance of an 
audited event 


“Indicates a failed attempt to perform an 
audited event 


Event Logs and Permissions 


By default, the Application log and the 
System log can be viewed by 
Everyone, a built-in security principal 
that includes all users who access the 
computer, including members of the 


Guests group. (In Windows XP, 
Everyone does not include Anonymous 
logons, however.) In addition, 
Everyone has write access to these 
two logs; in effect, that means any 
application can make entries in the 
logs, regardless of the user context in 
which it’s running. Only members of 
the Administrators group can clear 
these logs, however. You can prevent 
guests from viewing the Application 
and System logs by creating a DWORD 
entry named RestrictGuestAccess in 
HKLM\System\ 
CurrentControlSet\Services\EventLog\ 
Application and HKLM\System\ 
CurrentControlSet\Services\EventLog\ 
System. Set each value to 1. 


The Security log can be viewed or 
cleared only by members of the 
Administrators group. In addition, only 
the LocalSystem account (a built-in 
security principal that represents the 
operating system) can write to the 
log, preventing rogue applications 
from filling the log. 


Working with Logged Events 


If you want more information about an event in 
the Security log, double-click the event to open 
the Event Properties dialog box, shown in Figure 
20-4. By carefully examining all unsuccessful 
events, you might notice a pattern in attempts to 
gain access to a system or to particular objects. 


“-Figure 20-4. The details shown in this 
Event Properties dialog box indicate that 
CarlS has attempted to access a file named 
Advanced Appearance.doc without 
permission. 


You can search for particular events in the 
current log by using the Find command on Event 
Viewer’s View menu. This command displays the 
dialog box shown in Figure 20-5. By clearing all 
check boxes except Failure Audit and not entering 
anything in the other fields, you can quickly step 
through each failed attempt to use your system. 
Naturally, if you’re looking for a specific event, 
you can fill in other details about the event to 
speed your search. 


“-Figure 20-5. Use the View, Find command 
to locate a particular event. 


To examine several similar event entries, you can 
filter the list of events. You might want to restrict 
the display to include only events of a certain 
type or only those that occurred within a 
particular range of dates and times, for example. 
To filter a log, right-click the log’s name and 
choose Properties. Then fill out the Filter tab of 
the log’s properties dialog box, shown in Figure 
20-6. To restore the unfiltered list, return to this 
dialog box and click Restore Defaults. 


wal 


Figure 20-6. The Filter tab lets you restrict 
the list to events of particular interest. 


Switch between views 


You can quickly switch between 
filtered and unfiltered views of a log— 
or between one filtered view and a 
different filtered view. Right-click the 
log’s name, and choose New Log View. 
Event Viewer adds the new view to the 
console tree. Select the new view and 
filter as needed. (You might also want 
to give the new view a meaningful 
name; right-click it and choose 
Rename.) Now you can move between 
views by clicking different logs in the 
console tree. If you no longer need a 
view you create, right-click it and 
choose Delete. 


Working with Log Files 


The log files require little maintenance, and the 
default settings are appropriate in most cases. 
But you might want to limit the size of the logs, 
archive their content, or clear the m—tasks that 
are explained in the following sections. 


Setting Log File Size and Longevity 


By default, each log file has a maximum size of 
512 KB. You can adjust that downward or upward 
in 64-KB increments. If you want to maintain a 
long history of events, you can increase the log 
file size significantly; for the best performance, 
however, the combined size of all log files 
shouldn't exceed 512 MB. 


Also by default, events in each log file have a 
minimum longevity of seven days. That means 
that if a file reaches its maximum size, new 
events overwrite the oldest ones—but only if the 
oldest ones are at least seven days old. This too 
is an adjustable parameter. 


To change either a log file’s maximum size or the 
minimum longevity of the events it contains, 
right-click the log and choose Properties. Figure 
20-7 shows a log file’s properties dialog box. (You 
must have administrative privileges to use this 
dialog box; otherwise, all the controls appear 
dimmed.) 


“-Figure 20-7. The properties dialog box 
allows you to control the size of your event 
logs and the lifespan of the events they 
contain. 


If the Event Log service is unable to add new 
events to a log, either because you have told it 


never to overwrite log entries or because a log 
file has reached its capacity before the oldest 
events have reached their minimum age, you'll 
receive a warning message. You can remedy the 
situation, either by simply clearing the log or by 
archiving and then clearing it. 


Ensuring That You Don’t Miss Any 
Security Events 


By default, when the Security log fills 
up, Windows erases the oldest entries 
when it needs to make a new entry— 
just as it does with the System log 
and the Application log. If security is 
critical to your operation, however, 
you can make a policy setting that 
ensures that events are never deleted 
automatically. With or without this 
setting, only administrators—and 
others with the Manage Auditing And 
Security Log right—can view the 
Security log or clear its contents. To 
prevent people from covering their 
tracks, no one can delete individual 
entries; authorized individuals must 
delete all or none. 


Choosing this policy setting is a rather 
drastic solution, and you should 
implement it only when it’s essential 
to preserve every security event. With 
this setting, the system halts with a 
blue screen when the Security log 
becomes full, preventing all further 
use—and possibly causing logged-on 
users to lose data if document files 
happen to be open at the time. If you 
want to enable this level of security, 
follow these steps: 


1. In Event Viewer, right- 
click Security and 
choose Properties. 


2. On the General tab, 
select Do Not Overwrite 
Events (Clear Log 
Manually). 


3. In Local Security 
Settings (Secpol.msc), 
open Security 
Settings\Local Policies\ 
Security Options. 


4. Double-click Audit: Shut 
Down System 
Immediately If Unable 
To Log Security Audits. 
Select Enabled and click 
OK. 


5. Restart the computer. 


After you've followed these steps, the 
computer will halt when the Security 
log becomes full while a 
nonadministrative user is logged on. 
(Note that if you’re logged on as an 
administrator, you can continue to 
work undisturbed—and growth of the 
Security log stops without any notice. 
Therefore, even this security 
safeguard has a serious flaw.) At that 
point, you need to restart the 
computer and log on as a member of 
the Administrators group; no other 
accounts are allowed to log on. 


Your first action after logging on 
should be to review, export if desired, 


and clear the Security log. You then 
need to reset the shutdown policy by 
disabling it, reenabling it, and then 
restarting the computer. (The 
operating system automatically sets 
the registry value the policy controls 
to an invalid value; this is the 
mechanism that prevents others from 
logging on.) To restore the computer 
to normal operation (that is, it 
continues to run even if the Security 
log is full), revisit Local Security 
Settings and disable the policy. 


Naturally, if you employ this trick, you 
should take steps to avoid having the 
Security log fill up, since it can lock 
the computer at inopportune 
moments. Review and then clear the 
log periodically. (Export the log 
contents first if you want to preserve 
them.) You might also want to 
increase the size of the log. 


Archiving and Exporting Log File 
Information 


To archive a log, right-click it and choose Save 
Log File As. In the resulting dialog box, choose 
the default file type, Event Log (*.evt). Saving a 
log in its native (.evt) format creates a complete 
replica of the log, but you can view that replica 
only in Event Viewer (or a third-party application 
capable of reading native event logs). 


Event Viewer can also export log data to tab- 
delimited and comma-delimited text files, 
however, and you can easily import these into 
database, spreadsheet, or even word processing 


programs. When you save a log in one of these 
formats, you get everything in the log except the 
binary data associated with certain events. To 
save an entire log file in a text format, select 
either Text (Tab Delimited) or CSV (Comma 
Delimited) from the Save As Type list. 


The Save Log File As command always Saves all 
events in the selected log, regardless of how the 
log might be filtered for display purposes. If you 
want to generate a text report showing only 
particular kinds of events, first filter the log to 
display those events, and then use the Action 
menu’s Export List command. Like the Save Log 
File As command, Export List provides options for 
saving a tab-delimited or comma-delimited text 
file. Don’t select the Save Only Selected Rows 
check box in the Export List dialog box unless you 
want a report that includes only column headers 
and a single event. 


Displaying an Archived Log File 


After you have saved a log file in the .evt format, 
you can redisplay its contents at any time by 
using the Open Log File command on the Action 
menu. 


A reopened archive appears as a new entry in the 
console tree. You can view it, filter it, and search 
it, just as you would any other log file. You can 
also delete it—something you can’t do to the 
default Application, Security, and System logs. 


Clearing Log Files 
To clear a log, either click the Clear Log button in 


the log’s properties dialog box (shown in Figure 
20-7) or right-click the log and choose Clear All 


Events. You must have administrative privileges 
to clear any log. 


Using security templates to 
configure auditing 


Security templates allow you to save 
all your settings as a template, which 
you can then apply to other computers 
(templates provide an easy way to 
apply uniform settings on multiple 
computers) or on the same computer 
(a template can be useful for restoring 
security settings to a known state). 
The configuration of audit policies and 
Event Viewer can be part of a security 
template. For information about 
configuring policies with security 
templates and applying template 
settings, see Using Security 
Templates. 


To configure audit policies (those 
described in Enabling Security 
Auditing), visit a template’s Local 
Policies\Audit Policy folder. 


To configure auditing for object access 
(as described in “Configuring Auditing 
of Access to Files, Printers, and 
Registry Keys"), use the template’s 
File System and Registry folders. (You 
can’t configure printer auditing using 
security templates.) In those folders, 
right-click the object of interest, 
choose Properties, and then click Edit 
Security. 


You can also configure certain Event 
Viewer options using security 
templates. You'll find the relevant 


policies in each template’s Event Log 
folder. (In Windows 2000, the policies 
are in a subfolder named Settings For 
Event Logs.) The following template 
settings affect the Security log: 


e Maximum security log 
size. This corresponds 
to the like-named 
setting in the Security 
Properties dialog box, 
shown in Figure 20-7. 


e Prevent local guests 
group from accessing 
security log (in 
Windows 2000, Restrict 
guest access to 
security log). This 
setting controls the 
RestrictGuestAccess 
value in the registry’s 
HKLM\System\CurrentCo 
ntrolSet\ 
Services\Eventlog\Securi 
ty key. 


e Retain security log. 
This sets the value of 
the Overwrite Events 
Older Than __ Days box 
in the Security 
Properties dialog box. 


e Retention method for 
security log. This 
setting corresponds to 
the When Maximum Log 
Size Is Reached option 


in the Security 
Properties dialog box. 


The same folder contains analogous 
policies for the Application and System 
logs. Security templates in Windows 
2000 also include a Shut Down The 
Computer When The Security Audit 
Log Is Full policy, which is merely 
another avenue to the like-named 
policy in Local Policies\Security 
Options. 


zs 

This book’s companion CD includes two example 
security templates that configure auditing. One 
template (named Forensic) is for forensic 
purposes, and it enables success auditing for 
most events. The other (Intrusiondetection) is for 
intrusion detection purposes, and it enables both 
success and failure auditing. Both templates 
create many access settings for the 
%SystemRoot% folder and the files and folders it 
contains to track modifications to system files. To 
see which events and audit policy settings the 
templates create, open the .inf file for the 
template. The companion CD also includes a pair 
of batch programs (Applyforensic.cmd and 
Applyid.cmd) that use Secedit.exe to apply the 
templates. For information about applying 
security templates and using Secedit, see 
Applying Template Settings. 


Viewing Other Security-Related 
Logs 


Some applications and services generate their 
own logs of security-related events. The security 
log format, location, and options are likely to be 
different for each application or service, so you'll 
need to do some sleuthing. We mention the 
possibility here so that you can start your own 
investigation. Here are a few clues to get you 
started: 


e If you use Internet Connection 
Firewall (ICF), you can configure it 
to keep track of blocked (or 
successful) connections. It stores 
the log in 
%SystemRoot%\Pfirewall.log by 
default. Although it’s a standard 
text file, it’s difficult to read in its 
raw form. For information about 
configuring the ICF log and 
instructions for displaying it ina 
more useful form, see Configuring 
Internet Connection Firewall 
Logging. 


e If you use another type of firewall 
(software or hardware), it 
undoubtedly has some logging 
capabilities that record connection 
attempts. 


e Many antivirus programs have built- 
in viewers for their activity logs. 
Such logs will show events such as 
scanning your system for viruses, 


updating virus definitions, 
quarantining viruses, and so on. 


Only the operating system itself can 
write to the Security log. Otherwise, 
malevolent applications could fill the 
Security log with meaningless events, 
thereby clearing out the noteworthy 
events you want to record. Therefore, 
applications and services are limited to 


making entries in the Application log 
or the System log—or in a separate 
log managed by the specific 
application or service. (Of course, if 
the application or service performs 
actions that generate security events 
you've chosen to audit, the events 
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Appendix A 


The Ten Immutable Laws of 
Security 


This article, reprinted with permission 
of the Microsoft Security Response 
Center, is widely regarded as one of 
the most important statements on 
computer security and is on our must- 


read list. You'll find this article and 
many more essential resources, 
including security bulletins and 
whitepapers, at Microsoft’s Security 
site, 

http://www. microsoft.com/security. 


Here at the Microsoft Security Response Center, 
we investigate thousands of security reports 
every year. In some cases, we find that a report 
describes a bona fide security vulnerability 
resulting from a flaw in one of our products; 
when this happens, we develop a patch as quickly 
as possible to correct the error. In other cases, 
the reported problems simply result from a 
mistake someone made in using the product. But 
many fall in between. They discuss real security 
problems, but the problems don’t result from 
product flaws. Over the years, we’ve developed a 
list of issues like these, that we call the Ten 
Immutable Laws of Security. 


Don’t hold your breath waiting for a patch that 
will protect you from the issues we'll discuss 
below. It isn’t possible for Microsoft — or any 
software vendor — to “fix” them, because they 
result from the way computers work. But don’t 
abandon all hope yet — sound judgment is the 
key to protecting yourself against these issues, 
and if you keep them in mind, you can 


significantly improve the security of your 
systems. 


Law #1: If a bad guy can 
persuade you to run his 
program on your computer, it’s 
not your computer anymore. 


It’s an unfortunate fact of computer science: 
when a computer program runs, it will do what 
it's programmed to do, even if it’s programmed to 
be harmful. When you choose to run a program, 
you are making a decision to turn over control of 
your computer to it. Once a program is running, 
it can do anything, up to the limits of what you 
yourself can do on the machine. It could monitor 
your keystrokes and send them to a web site. It 
could open every document on the machine, and 
change the word “will” to “won’t” in all of them. It 
could send rude emails to all your friends. It 
could install a virus. It could create a “back door” 
that lets someone remotely control your machine. 
It could dial up an ISP in Katmandu. Or it could 
just reformat your hard drive. 


That’s why it’s important to never run, or even 
download, a program from an untrusted source — 
and by “source”, I mean the person who wrote it, 
not the person who gave it to you. There’s a nice 
analogy between running a program and eating a 
sandwich. If a stranger walked up to you and 
handed you a sandwich, would you eat it? 
Probably not. How about if your best friend gave 
you a sandwich? Maybe you would, maybe you 
wouldn’t — it depends on whether she made it or 
found it lying in the street. Apply the same 
critical thought to a program that you would to a 
sandwich, and you'll usually be safe. 


Law #2: If a bad guy can alter 
the operating system on your 
computer, it’s not your 
computer anymore. 


In the end, an operating system is just a series of 
ones and zeroes that, when interpreted by the 
processor, cause the machine to do certain 
things. Change the ones and zeroes, and it will do 
something different. Where are the ones and 
zeroes stored? Why, on the machine, right along 
with everything else! They’re just files, and if 
other people who use the machine are permitted 
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to change those files, it’s “game over”. 


To understand why, consider that operating 
system files are among the most trusted ones on 
the computer, and they generally run with 
system-level privileges. That is, they can do 
absolutely anything. Among other things, they’re 
trusted to manage user accounts, handle 
password changes, and enforce the rules 
governing who can do what on the computer. If a 
bad guy can change them, the now- 
untrustworthy files will do his bidding, and there’s 
no limit to what he can do. He can steal 
passwords, make himself an administrator on the 
machine, or add entirely new functions to the 
operating system. To prevent this type of attack, 
make sure that the system files (and the registry, 
for that matter) are well protected. (The security 
checklists on the Microsoft Security web site will 
help you do this). 


Law #3: If a bad guy has 
unrestricted physical access to 
your computer, it’s not your 
computer anymore. 


Oh, the things a bad guy can do if he can lay his 
hands on your computer! Here’s a sampling, 
going from Stone Age to Space Age: 


e He could mount the ultimate low- 
tech denial of service attack, and 
smash your computer with a 
sledgehammer. 


e He could unplug the computer, haul 
it out of your building, and hold it 
for ransom. 


e He could boot the computer from a 
floppy disk, and reformat your hard 
drive. But wait, you say, I’ve 
configured the BIOS on my 
computer to prompt for a password 
when I turn the power on. No 
problem — if he can open the case 
and get his hands on the system 
hardware, he could just replace the 
BIOS chips. (Actually, there are 
even easier ways). 


e He could remove the hard drive 
from your computer, install it into 
his computer, and read it. 


e He could make a duplicate of your 
hard drive and take it back his lair. 
Once there, he’d have all the time 
in the world to conduct brute-force 


attacks, such as trying every 
possible logon password. Programs 
are available to automate this and, 
given enough time, it’s almost 
certain that he would succeed. 
Once that happens, Laws #1 and 
#2 above apply 


e He could replace your keyboard 
with one that contains a radio 
transmitter. He could then monitor 
everything you type, including your 
password. 


Always make sure that a computer is physically 
protected in a way that’s consistent with its value 
— and remember that the value of a machine 
includes not only the value of the hardware itself, 
but the value of the data on it, and the value of 
the access to your network that a bad guy could 
gain. At a minimum, business-critical machines 
like domain controllers, database servers, and 
print/file servers should always be in a locked 
room that only people charged with 
administration and maintenance can access. But 
you may want to consider protecting other 
machines as well, and potentially using additional 
protective measures. 


If you travel with a laptop, it’s absolutely critical 
that you protect it. The same features that make 
laptops great to travel with — small size, light 
weight, and so forth — also make them easy to 
steal. There are a variety of locks and alarms 
available for laptops, and some models let you 
remove the hard drive and carry it with you. You 
also can use features like the Encrypting File 
System in Windows 2000 to mitigate the damage 
if someone succeeded in stealing the computer. 


But the only way you can know with 100% 
certainty that your data is safe and the hardware 
hasn’t been tampered with is to keep the laptop 
on your person at all times while traveling. 


Law #4: If you allow a bad guy 
to upload programs to your 
web site, it’s not your web site 
any more. 


This is basically Law #1 in reverse. In that 
scenario, the bad guy tricks his victim into 
downloading a harmful program onto his machine 
and running it. In this one, the bad guy uploads a 
harmful program to a machine and runs it 
himself. Although this scenario is a danger 
anytime you allow strangers to connect to your 
machine, web sites are involved in the 
overwhelming majority of these cases. Many 
people who operate web sites are too hospitable 
for their own good, and allow visitors to upload 
programs to the site and run them. As we’ve 
seen above, unpleasant things can happen if a 
bad guy’s program can run on your machine. 


If you run a web site, you need to limit what 
visitors can do. You should only allow a program 
on your site if you wrote it yourself, or if you trust 
the developer who wrote it. But that may not be 
enough. If your web site is one of several hosted 
on a shared server, you need to be extra careful. 
If a bad guy can compromise one of the other 
sites on the server, it’s possible he could extend 
his control to the server itself, in which he could 
control all of the sites on it - including yours. If 
you're on a Shared server, it’s important to find 
out what the server administrator’s policies are. 
(By the way, before opening your site to the 
public, make sure you’ve followed the security 
checklists for IIS 4.0 and IIS 5.0). 


Law #5: Weak passwords 
trump strong security. 


The purpose of having a logon process is to 
establish who you are. Once the operating 
system knows who you are, it can grant or deny 
requests for system resources appropriately. If a 
bad guy learns your password, he can log on as 
you. In fact, as far as the operating system is 
concerned, he is you. Whatever you can do on 
the system, he can do as well, because he’s you. 
Maybe he wants to read sensitive information 
you've stored on your computer, like your email. 
Maybe you have more privileges on the network 
than he does, and being you will let him do things 
he normally couldn’t. Or maybe he just wants to 
do something malicious and blame it on you. In 
any case, it’s worth protecting your credentials. 


Always use a password - it’s amazing how many 
accounts have blank passwords. And choose a 
complex one. Don’t use your dog’s name, your 
anniversary date, or the name of the local 
football team. And don’t use the word 
“password”! Pick a password that has a mix of 
upper- and lower-case letters, number, 
punctuation marks, and so forth. Make it as long 
as possible. And change it often. Once you’ve 
picked a strong password, handle it appropriately. 
Don’t write it down. If you absolutely must write 
it down, at the very least keep it in a safe or a 
locked drawer — the first thing a bad guy who’s 
hunting for passwords will do is check for a 
yellow sticky note on the side of your screen, or 
in the top desk drawer. Don’t tell anyone what 
your password is. Remember what Ben Franklin 
said: two people can keep a secret, but only if 
one of them is dead. 


Finally, consider using something stronger than 
passwords to identify yourself to the system. 
Windows 2000, for instance, supports the use of 
smart cards, which significantly strengthens the 
identity checking the system can perform. You 
may also want to consider biometric products like 
fingerprint and retina scanners. 


Law #6: A machine is only as 
secure as the administrator is 
trustworthy. 


Every computer must have an administrator: 
someone who can install software, configure the 
operating system, add and manage user 
accounts, establish security policies, and handle 
all the other management tasks associated with 
keeping a computer up and running. By 
definition, these tasks require that he have 
control over the machine. This puts the 
administrator in a position of unequalled power. 
An untrustworthy administrator can negate every 
other security measure you’ve taken. He can 
change the permissions on the machine, modify 
the system security policies, install malicious 
software, add bogus users, or do any of a million 
other things. He can subvert virtually any 
protective measure in the operating system, 
because he controls it. Worst of all, he can cover 
his tracks. If you have an untrustworthy 
administrator, you have absolutely no security. 


When hiring a system administrator, recognize 
the position of trust that administrators occupy, 
and only hire people who warrant that trust. Call 
his references, and ask them about his previous 
work record, especially with regard to any 
security incidents at previous employers. If 
appropriate for your organization, you may also 
consider taking a step that banks and other 
security-conscious companies do, and require 
that your administrators pass a complete 
background check at hiring time, and at periodic 
intervals afterward. Whatever criteria you select, 
apply them across the board. Don’t give anyone 


administrative privileges on your network unless 
they've been vetted — and this includes 
temporary employees and contractors, too. 


Next, take steps to help keep honest people 
honest. Use sign-in/sign-out sheets to track 
who’s been in the server room. (You do have a 
server room with a locked door, right? If not, re- 
read Law #3). Implement a “two person” rule 
when installing or upgrading software. Diversify 
management tasks as much as possible, as a way 
of minimizing how much power any one 
administrator has. Also, don’t use the 
Administrator account — instead, give each 
administrator a separate account with 
administrative privileges, so you can tell who’s 
doing what. Finally, consider taking steps to make 
it more difficult for a rogue administrator to cover 
his tracks. For instance, store audit data on 
write-only media, or house System A's audit data 
on System B, and make sure that the two 
systems have different administrators. The more 
accountable your administrators are, the less 
likely you are to have problems. 


Law #7: Encrypted data is only 
as secure as the decryption 
key. 


Suppose you installed the biggest, strongest, 
most secure lock in the world on your front door, 
but you put the key under the front door mat. It 
wouldn’t really matter how strong the lock is, 
would it? The critical factor would be the poor 
way the key was protected, because if a burglar 
could find it, he’d have everything he needed to 
open the lock. Encrypted data works the same 
way - no matter how strong the cryptoalgorithm 
is, the data is only as safe as the key that can 
decrypt it. 


Many operating systems and cryptographic 
software products give you an option to store 
cryptographic keys on the computer. The 
advantage is convenience — you don’t have to 
handle the key — but it comes at the cost of 
security. The keys are usually obfuscated (that is, 
hidden), and some of the obfuscation methods 
are quite good. But in the end, no matter how 
well-hidden the key is, if it’s on the machine it 
can be found. It has to be — after all, the 
software can find it, so a sufficiently-motivated 
bad guy could find it, too. Whenever possible, use 
offline storage for keys. If the key is a word or 
phrase, memorize it. If not, export it to a floppy 
disk, make a backup copy, and store the copies in 
separate, secure locations. (All of you 
administrators out there who are using Syskey in 
“local storage” mode — you’re going to 
reconfigure your server right this minute, right?) 


Law #8: An out of date virus 
scanner is only marginally 
better than no virus scanner at 
all. 


Virus scanners work by comparing the data on 
your computer against a collection of virus 
“signatures”. Each signature is characteristic of a 
particular virus, and when the scanner finds data 
in a file, email, or elsewhere that matches the 
signature, it concludes that it’s found a virus. 
However, a virus scanner can only scan for the 
viruses it knows about. It’s vital that you keep 
your virus scanner’s signature file up to date, as 
new viruses are created every day. 


The problem actually goes a bit deeper than this, 
though. Typically, a new virus will do the greatest 
amount of damage during the early stages of its 
life, precisely because few people will be able to 
detect it. Once word gets around that a new virus 
is on the loose and people update their virus 
signatures, the spread of the virus falls off 
drastically. The key is to get ahead of the curve, 
and have updated signature files on your machine 
before the virus hits. 


Virtually every maker of anti-virus software 
provides a way to get free updated signature files 
from their web site. In fact, many have “push” 
services, in which they'll send notification every 
time a new signature file is released. Use these 
services. Also, keep the virus scanner itself — 
that is, the scanning software — updated as well. 
Virus writers periodically develop new techniques 
that require that the scanners change how they 
do their work. 


Law #9: Absolute anonymity 
isn’t practical, in real life or on 
the web. 


All human interaction involves exchanging data of 
some kind. If someone weaves enough of that 
data together, they can identify you. Think about 
all the information that a person can glean in just 
a short conversation with you. In one glance, 
they can gauge your height, weight, and 
approximate age. Your accent will probably tell 
them what country you’re from, and may even 
tell them what region of the country. If you talk 
about anything other than the weather, you'll 
probably tell them something about your family, 
your interests, where you live, and what you do 
for a living. It doesn’t take long for someone to 
collect enough information to figure out who you 
are. If you crave absolute anonymity, your best 
bet is to live in a cave and shun all human 
contact. 


The same thing is true of the Internet. If you visit 
a web site, the owner can, if he’s sufficiently 
motivated, find out who you are. After all, the 
ones and zeroes that make up the web session 
have be able to find their way to the right place, 
and that place is your computer. There are a lot 
of measures you can take to disguise the bits, 
and the more of them you use, the more 
thoroughly the bits will be disguised. For 
instance, you could use network address 
translation to mask your actual IP address, 
subscribe to an anonymizing service that 
launders the bits by relaying them from one end 
of the ether to the other, use a different ISP 
account for different purposes, surf certain sites 


only from public kiosks, and so on. All of these 
make it more difficult to determine who you are, 
but none of them make it impossible. Do you 
know for certain who operates the anonymizing 
service? Maybe it’s the same person who owns 
the web site you just visited! Or what about that 
innocuous web site you visited yesterday, that 
offered to mail you a free $10 off coupon? Maybe 
the owner is willing to share information with 
other web site owners. If so, the second web site 
owner may be able to correlate the information 
from the two sites and determine who you are. 


Does this mean that privacy on the web is a lost 
cause? Not at all. What it means is that the best 
way to protect your privacy on the Internet is the 
same as the way you protect your privacy in 
normal life - through your behavior. Read the 
privacy statements on the web sites you visit, 
and only do business with ones whose practices 
you agree with. If you’re worried about cookies, 
disable them. Most importantly, avoid 
indiscriminate web surfing - recognize that just 
as most cities have a bad side of town that’s best 
avoided, the Internet does too. But if it’s 
complete and total anonymity you want, better 
start looking for that cave. 


Law #10: Technology is nota 
panacea. 


Technology can do some amazing things. Recent 
years have seen the development of ever- 
cheaper and more powerful hardware, software 
that harnesses the hardware to open new vistas 
for computer users, as well as advancements in 
cryptography and other sciences. It’s tempting to 
believe that technology can deliver a risk-free 
world, if we just work hard enough. However, this 
is simply not realistic. 


Perfect security requires a level of perfection that 
simply doesn’t exist, and in fact isn’t likely to 
ever exist. This is true for software as well as 
virtually all fields of human interest. Software 
development is an imperfect science, and all 
software has bugs. Some of them can be 
exploited to cause security breaches. That’s just a 
fact of life. But even if software could be made 
perfect, it wouldn’t solve the problem entirely. 
Most attacks involve, to one degree or another, 
some manipulation of human nature — this is 
usually referred to as social engineering. Raise 
the cost and difficulty of attacking security 
technology, and bad guys will respond by shifting 
their focus away from the technology and toward 
the human being at the console. It’s vital that 
you understand your role in maintaining solid 
security, or you could become the chink in your 
own systems’ armor. 


The solution is to recognize two essential points. 
First, security consists of both technology and 
policy — that is, it’s the combination of the 
technology and how it’s used that ultimately 
determines how secure your systems are. 


Second, security is journey, not a destination — it 
isn’t a problem that can be “solved” once and for 
all; it’s a constant series of moves and 
countermoves between the good guys and the 
bad guys. The key is to ensure that you have 
good security awareness and exercise sound 
judgment. There are resources available to help 
you do this. The Microsoft Security web site, for 
instance, has hundreds of white papers, best 
practices guides, checklists and tools, and we're 
developing more all the time. Combine great 
technology with sound judgment, and you'll have 
rock-solid security. 
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Footnotes 


Chapter 3 


1. User Accounts is not available in 
Windows 2000 or in Windows XP 
Professional when the computer is 
joined to a domain. 


2. These three switches allow you to 
make security-related settings that 
you can’t make (or even view) 
using the other account- 
management tools. They provide 
powerful options that are otherwise 
available only with Active Directory 
and a server-based domain. 


Chapter 10 


1. Blocked only in Outlook 2002 


2. Blocked only in Outlook 2002 SP-1 
and later 


Chapter 13 


1. Converted from persistent to 
session. 


2. Prevented from being read ina 
third-party context. 


Chapter 19 


1. Not available in Windows 2000. 


2. In Windows 2000, this right is 
called Increase Quotas. 


3. Table entries provide the Windows 
XP name. In most cases, the name 
in Windows 2000 is the same, 
except that the category (the part 
of the name before the colon) is not 
included. By default, policies are 
listed in the Security Options folder 
in alphabetical order, so if you use 
Windows 2000, the order differs 
from the list shown here. 


4. Not available in Windows 2000. 


5. In Windows 2000, the name begins 
with “Secure channel” instead of 
“Domain member.” 


Sample Chapters from the 
Inside Out Series 


Microsoft Windows XP Inside 
Out 


Chapter 1 


Introducing Windows XP 


Think you know Microsoft Windows inside out? 
Think again. 


For more than a decade, power users have 
obsessed over ways to make Windows run faster, 
work smarter, and crash less often. Through 
books, magazine articles, and the Web, Windows 
users have amassed huge collections of keyboard 
shortcuts, registry hacks, elegant workarounds, 
and undocumented secrets to help master each 
succeeding Windows version. And now that 
Microsoft Windows XP has arrived, much of that 
hard-earned knowledge is irrelevant or obsolete. 


Sorry to have to deliver the bad news, but it’s 
true: From top to bottom, Windows XP is 
dramatically different from previous Windows 
versions. The more you think you know about 
Windows, the more likely you'll feel at least a 
little disoriented when you begin working with 
Windows XP. That’s especially true if you’ve spent 
the past few years mastering Windows 95 and its 
successors, Windows 98 and Windows Millenium 
Edition (Me). 


Now for the good news: The changes in Windows 
XP are well worth the time and effort you'll spend 
unlearning old habits and mastering a new 
operating system. After you learn your way 
around Windows XP, we predict you'll appreciate 
its reliability, security, and smoother way of 
handling everyday tasks. Our mission in this book 
is to help you take full advantage of the rich new 
features in Windows XP while working around this 
complex operating system’s quirks, rough edges, 
and annoyances. And although the book is 
published by Microsoft Press, we've taken 


advantage of our editorial freedom to tell you 
when we've found a better way than the Windows 
way. 


This book brings you the detailed, inside 
information you need to quickly get your bearings 
in Windows XP and make the right setup and 
configuration choices the first time. Don’t like the 
default settings? Don’t worry. We’ve uncovered 
the fastest, easiest ways to get things done, and 
we also show you how to tweak the radically 
redesigned Windows XP interface so it works the 
way you want it to work. We've found plenty of 
registry hacks and undocumented secrets, too. 


For the sake of this book, we assume that you 
have plenty of experience with Windows 
95/98/Me and at least a nodding familiarity with 
Windows 2000. If that description fits you, read 
this chapter carefully to learn about the major 
changes in Windows XP that will most affect you. 
If you’re an experienced Windows 2000 user, 
some of the information in this chapter may seem 
familiar, but we recommend that you skim 
through it anyway, because some changes that 
aren’t immediately obvious can have a big impact 
on your PC and network. (Pay particular attention 
to the tricky new security and file-sharing 
system, which is dramatically different from its 
Windows 2000 predecessor on home and small 
business PCs.) 


What’s New in Windows XP 


Windows XP brings together two product families 
that were previously separate and decidedly 
unequal. From Windows 2000, it inherits a 
reliable, generally crash-proof foundation. It adds 
a host of user-friendly features and system 
utilities that were previously available only in 
Windows 98 or Windows Me. For good measure, 
it tosses in some interface enhancements and 
new capabilities that were previously available 
only as third-party add-ins. 


Most importantly, Windows XP comes in two 
distinctly different versions: 


e Windows XP Home Edition. This 
budget-priced versionis typically 
bundled with consumer PCs sold for 
use in homes and very small 
businesses. It’s intended for 
nontechnical users who don’t need 
to connect to corporate networks 
and don’t want to fuss with 
complicated system and security 
options. It’s compatible with any 
desktop or notebook PC that has a 
single CPU and a single video 
display. 


e Windows XP Professional. This 
version includes everything in the 
Home Edition, plus all the 
networking and security 
components required to join a 
Windows NT/2000/XP domain. If 
your system configuration includes 
certain types of high-performance 


hardware, such as a dual-processor 
motherboard, you'll need Windows 
XP Professional to fully utilize it. 


Before you read any further, check to see which 
version of Windows XP is installed on your PC. 
Open Control Panel’s System option and look on 
the General tab. Figure 1-1 shows what you 
should expect to see if you’re running the initial 
release of Windows XP Professional. If you’ve 
installed a service pack, you'll see its details 
here, too. (You can read more details about the 
differences between Windows XP Home Edition 
and Professional later in this chapter.) 


“Figure 1-1. The System Properties dialog 
box supplies detailed information about your 
Windows version and your hardware 
configuration. 


Figure 1-1. The System Properties dialog 
box supplies detailed information about your 
Windows version and your hardware 
configuration. 


Get fast access to system settings 
You don’t have to pass through 
Control Panel to get to the System 
Properties dialog box. Hold down the 
Windows logo key and press Break to 
open this handy dialog box 
immediately. No Windows logo key? 
Create a shortcut to Sysdm.cpl (you'll 
find it in the 
%SystemRoot%\System32 folder) and 
place it anywhere in the Programs 
menu. Then open the shortcut’s 
properties dialog box and assign it an 
easy-to-remember keyboard shortcut 
such as Ctrl+Alt+Shift+S. 


Windows XP Professional is a massive collection 
of code that tries to be all things to all people, 
from performance-obsessed gamers to buttoned- 
down corporate executives and spreadsheet 
jockeys. For the most part, it succeeds. In this 
book, we cover a broad range of tasks that a 
well-rounded Windows XP user might tackle at 
home or at work. 


Increased Reliability and 
Security 


If you’re upgrading from Windows 2000, the 
architectural changes in Windows XP are subtle 
and in some instances practically invisible. But if 
you're moving up from Windows 95/98 or 
Windows Me, you'll have to deal with new system 
utilities (using the Disk Management snap-in 
instead of FDISK to create and format hard disk 
partitions, for instance). You'll also face 
unfamiliar setup options, such as whether to 
choose NTFS or stick with FAT32 as the file 
system for hard disk partitions. And you'll need to 
understand the new file-sharing system, which is 
considerably more secure than the minimal 
password protection used in Windows 95/98 and 
Windows Me. 


For a full explanation of your file- 
sharing options, see Chapter 13, 
“Securing Files and Folders.” 


The payoff for this added complexity is a 
dramatic decrease in system crashes, hangs, 
lockups, and mysterious error messages—thanks 
to the following improvements: 


e New Windows engine. The 
designers of Windows XP tossed out 
every last vestige of the MS-DOS- 
compatible core code used in 
Windows 95/98 (and, despite some 
attempts to hide it, in Windows Me 
as well). At the heart of both 
versions of Windows XP is the 
robust and reliable kernel 
introduced in Windows 2000. With 


its fully protected memory model, 
tightly integrated security, and a 
hardware abstraction layer (HAL) 
that protects key system 
components from poorly written 
programs, Windows XP is far less 
likely to crash in everyday use. And 
when crashes do occur, you can 
choosefrom a more powerful set of 
troubleshooting utilities than those 
available for earlier Windows 
versions. 


e Robust system protection tools. 
A common source of problems in 
previous Windows versions is “DLL 
hell”—the irritating instability that 
results when poorly written 
applications replace crucial system 
files with outdated or incorrect 
versions. Windows XP monitors 
these crucial system files, 
preserving the correct version of 
the system file while allowing the 
program you just installed to use its 
own DLL file. For additional 
protection, you can use the System 
Restore utility (shown in Figure 1- 
2) to create a snapshot of system 
files and settings so that you can 
“roll back” to a previous 
configuration when a new 
application or device driver causes 
problems. 


System Restore is an integral part of a 
comprehensive data-protection 
program that should also include a 
regular backup schedule. Although this 


utility can help you recover from 
common configuration errors, it will 
not protect data files from corruption 
or accidental deletion, and it can’t do 
anything to recover data that’s 
damaged by a hard drive failure or 
electrical spike. 


For detailed instructions on how to 
keep crashes from occurring, see 
Chapter 24, “Performing Routine 
Maintenance.” To minimize damage 


caused by crashes that happen in 
spite of your best efforts, see Chapter 
25, “Recovering After a Computer 
Crash.” 


e Device driver rollback. Windows 
veterans know that buggy device 
drivers can make a mess of even 
the most meticulously maintained 
system. Windows XP protects you 
from driver-related woes by 
warning you when you try to install 
an unsigned driver that has not 
been certified as compatible with 
Windows XP. It also offers the 
capability to uninstall a driver and 
restore the previous version—from 
Safe Mode, if necessary. 


For more information about hardware 
and Windows XP, see Chapter 6, 


“Setting Up and Troubleshooting 
Hardware.” 


“-Figure 1-2. Use the System Restore utility 
to undo system configuration changes that 
cause headaches. Windows XP automatically 
saves files and settings (called restore 
points) at regular intervals; you can create 
checkpoints manually as well. 


Figure 1-2. Use the System Restore utility 
to undo system configuration changes that 
cause headaches. Windows XP automatically 
saves files and settings (called restore 
points) at regular intervals; you can create 
checkpoints manually as well. 


e Security features. Password- 
protected logins and the ability to 
set permissions on files and folders 
make it possible for you to share a 
PC with otherswithout allowing 
them to install unwelcome software 
(including viruses) or delete 
important files. A friendly Welcome 
screen and easy-to-use 
administrative tools make it 
especially easy to set up a shared 
PC at home or in a small office, 
with each user having a customized 
desktop and Start menu, plus 
secure access to protected files. 


For a detailed explanation of how 
Windows XP lets you control what 
each user can and can’t do, see 
Chapter 3, “Controlling Access to Your 
Computer.” To learn how to restrict 
access to personal and sensitive files 
and folders, see Chapter 13, “Securing 
Files and Folders.” Need instructions 
on how to share files and printers over 


a network? You'll find those details in 
Chapter 31, “Managing Shared Folders 
and Printers.” 


Fresh Visual Design 


Windows XP offers the most sweeping overhaul of 
the Windows interface since the introduction of 
Windows 95. If you choose the new Windows XP 
interface, you'll notice the following changes right 
away: 


e Brighter colors. The default 
Windows XP color scheme is bolder 
and edgier than the relatively 
sedate color combinations used in 
previous Windows versions. 
Windows XP takes full advantage of 
video hardware that is capable of 
24-bit and 32-bit true color 
settings. 


e 3-D windows and buttons. When 
you choose the Windows XP style, 
windows and buttons take on a 3-D 
appearance with rounded edges 
and sleek shadows. In addition, 
you'll see subtle shifts in color as 
you pass the mouse pointer over 
buttons, tabs, and other interface 
elements, much the same as those 
that characterize hot spots on a 
Web page. 


e Sharper icons. Every system icon 
has been reworked for Windows XP. 
The new icons are brighter and 
richer looking, because they 
support color resolutions up to 24- 
bit (true color). In addition, each 
icon is available in three sizes, 
including a super-size 48x48 pixel 


version that’s more than twice as 
large as the standard 32x32 icons 
used in previous Windows versions. 
The extra detail is most useful in 
the new Tiles view, where two or 
three lines of annotation can 
appear alongside the icon to 
provide additional information. 


Integrated themes. Microsoft first 
introduced desktop themes in the 
Plus Pack add-in to Windows 95 as 
a way to save sets of color 
schemes, fonts, font sizes, sounds, 
and other interface elements. In 
Windows XP, theme support is 
tightly integrated into Control 
Panel’s Display utility and supports 
changes to common controls, 
window borders, and menus as 
well. 


Improved Usability for 
Everyday Tasks 


Most of the basic building blocks of the Windows 
XP user interface are familiar from previous 
Windows versions—you'll find the desktop, Start 
button, and taskbar, for example, right where you 
expect them to be. But dig deeper into menus 
and dialog boxes and you'll discover hundreds of 
changes that grew out of testing in Microsoft’s 
usability laboratory. Many of these changes are 
intended to make Windows computing easier for 
novice users, but in some cases the hand-holding 
and extra explanation can unnecessarily slow 
down power users. 


For instance, the default Control Panel view 
organizes icons into a task-based Category view 
that requires drilling down an extra level to get to 
advanced options. As an experienced Windows 
user, you'll probably prefer the Classic view of 
Control Panel, where every icon appears in a 
single folder window. Throughout this book, we'll 
point out similar places where you can adjust 
default settings to give yourself faster access to 
the features you use most. 


You can configure Windows XP to use the Classic 
Start menu style, which is practically 
indistinguishable from the Windows 2000 
interface. But if you’re a power user, we 
recommend that you try out the new Windows XP 
interface for at least a week. You may discover 
that some of the interface changes cure long- 
standing Windows annoyances. Among the 
productivity-boosting improvements in Windows 
XP are the following: 


e Friendly Welcome screen. As the 
administrator of a Windows XP 
machine, you define a user account 
for each person allowed to use that 
computer. The Welcome screen lists 
each authorized user; each user 
clicks his or her name and enters a 
password (if required) to jump toa 
personalized desktop and unlock 
access to private files. On a shared 
PC, you can switch between users 
without having to close down 
running programs or stop a 
download. You can drop in and 
check your e-mail or send a quick 
instant message, for instance, while 
another user takes a brief break. 


e Fast User Switching. On a shared 
home computer, the capability to 
switch quickly between accounts 
without having to log off is an 
absolute killer feature and the 
single best reason to prefer either 
edition of Windows XP over 
previous Windows versions. When 
you step away from the computer, 
you can leave documents open and 
keep your e-mail program running 
in the background, checking for 
new messages at regular intervals. 
The default Windows XP screen 
saver switches to the Welcome 
screen after 10 minutes with no 
keyboard or mouse activity. 


e Start menu improvements. The 
redesigned Windows XP Start 
menu, shown in Figure 1-3, uses 


more on-screen real estate than the 
Start menu you know so well. By 
using two columns instead of one, 
itorganizes shortcuts to the 
programs you use most often, to 
locations where your personal files 
are stored, and to system folders 
and tools. 


A cleaner desktop. In a clean 
installation, the Windows XP 
desktop is downright Spartan, with 
only the Recycle Bin installed there 
by default. A wizard periodically 
sweeps across the desktop, offering 
to move icons that haven’t been 
used recently into an Unused 
Desktop Shortcuts folder. In a 
similar vein, Windows XP groups 
taskbar buttons to avoid the 
common problem of buttons being 
SO small as to be unusable. If you 
have five browser windows open, 
for instance, all those windows will 
be grouped under a single Internet 
Explorer button, with a number on 
the button to tell you how many 
separate windows are grouped 
there; click that button to choose 
from a menu that lists the titles of 
each individual window. 


“-Figure 1-3. The new two- 
column Start menu offers 
quicker access to common 
locations and maintains a 
dynamic list of shortcuts to the 
programs you use most often. 


Figure 1-3. The new two- 
column Start menu offers 
quicker access to common 
locations and maintains a 
dynamic list of shortcuts to the 
programs you use most often. 


e Easier file management. 
Windows Explorer gets a thorough 
overhaul in Windows XP. When a 
folder window is open, clicking the 
Folders button toggles the left pane 
between the familiar Folders tree 
and the new task pane, containing 
a set of links that offer quick access 
to common tasks, shortcuts to 
related locations, and details about 
the current selection. The new Tiles 
view offers an alternate 
organization of common locations; 
this view is particularly effective in 
the My Computer window, as Figure 
1-4 shows. Windows Explorer in 
Windows XP is also much smarter 
about file associations than earlier 
versions. 


Toggle the Folders tree Regardless of 
which view you use for a given folder, 
you can click the Folders button to 
toggle between Windows Explorer’s 
Folders bar and the task pane. Use the 
double arrows at the right of each 


menu to collapse or expand the 
choices shown in that box; in the 
Details box, the double arrow toggles 
the display of information about the 
currently selected file or folder 
including previews of image files). 


“Figure 1-4. Collapsible menus 
(left) let you see details about 
the current selection and 
choose common actions 
without having to right-click. 


Figure 1-4. Collapsible menus 
(left) let you see details about 
the current selection and 
choose common actions 
without having to right-click. 


e Extensive Help and support 
resources. As you would expect, 
the online Help files are filled with 
tutorials, troubleshooters, and step- 
by-step instructions, but those 
static resources are just a start. 
The HTML-basedHelp And Support 
Center shown in Figure 1-5 takes 
advantage of your Internet 
connection to update Help files with 
headlines from Microsoft’s support 
site. From the Help And Support 
Center window, you can also search 
the Microsoft Knowledge Base, 
access Windows XP newsgroups, 
connect to Microsoft support, and 
even run your own help desk using 
the Remote Assistance feature. 


Provide personal support 


It never fails: When friends, 
coworkers, or family members 
discover that you’re a Windows 
expert, you get pressed into service as 
an unpaid support technician. If the 
party asking for help is running any 
edition of Windows XP and has an 


active Internet connection, your job is 
much easier. Have the other person 
send you a Remote Assistance 
request; when you accept the request, 
you connect directly to their computer 
and can edit registry settings, fix file 
associations, set System options, and 
perform just about any other 
troubleshooting or repair task, just as 
if you were sitting at the other 
person’s desk. 


For more details on how to configure 
the Help And Support Center and use 


Remote Assistance, see Chapter 4, 
“Help and Support Options.” 


“-Figure 1-5. The Help And Support Center 
provides direct access to system utilities and 
information, including articles from 
Microsoft’s Knowledge Base. 


Figure 1-5. The Help And Support Center 
provides direct access to system utilities and 
information, including articles from 
Microsoft’s Knowledge Base. 


Internet Enhancements 


As befits a twenty-first-century operating system, 
Windows XP includes an extensive array of 
Internet features that go far beyond basic 
browsing. Three improvements are worthy of 
special note: 


Internet Explorer 6 Windows XP incorporates 
the most recent version of Microsoft’s browser. It 
gets the same visual overhaul as the rest of 
Windows, with bright toolbar button images, and 
it integrates streaming media playback tools into 
the task pane on the left. But its most worthwhile 
new capability is “under the hood,” where 
Internet Explorer 6 incorporates controls you can 
use to protect your privacy. By default, the 
browser uses privacy policies to determine what 
personally identifiable information can be stored 
by a Web site; if you want greater control over 
your personal data, you can build a custom policy 
that determines on a site-by-site basis which 
cookies are allowed and which are blocked. 


To learn how privacy policies and 


cookie controls work, see “Managing 
Cookies.” 


Internet Connection Firewall The explosion in 
popularity of “always on” Internet connections, 
such as cable modems and DSL hook-ups, has a 
dark side. Even a technically unsophisticated 
hacker can break into a poorly secured computer 
and access private files or plant a Trojan horse 
program. Unlike any previous Windows version, 
Windows XP includes a bare-bones firewall that 
stops the most common attacks. 


If you already use a third-party 
firewall program such as ZoneAlarm, 


see “Limitations of Internet 
Connection Firewall.” 


Internet Connection Sharing Every version of 
Windows since Windows 98 Second Edition has 
included software that allows you to share a 
single Internet connection over a home or small 
business network. Windows XP streamlines the 
setup process and adds the capability for remote 
users to stop and start a dial-up connection on 
the gateway PC. 


Integrated Tools for Working 
with Digital Media 


If you’ve used previous Windows versions to work 
with digital images or music files, you’ve no 
doubt struggled with cumbersome third-party 
utilities and complex file-transfer procedures. 
With an assortment of wizards and new features, 
Windows XP streamlines the experience of 
working with all types of digital media. 


Digital Music 


Windows Media Player 8 is included in both 
editions of Windows XP. As Figure 1-6 shows, it’s 
especially adept at managing your music 
collection. 


Use Windows Media Player to accomplish any of 
these everyday tasks: 


e Play music CDs and download 
information about the artist, album, 
and tracks from the Internet. 


e Copy (“rip”) tracks from a CD and 
store them as digital music files on 
your hard disk. Windows Media 
Player 8 supports the popular MP3 
format and Windows Media Audio 
(WMA) files. 


Organize digital media files in the 
My Music folder. Windows XP stores 
downloaded information about each 
track in the properties for the 
digital music file and uses 
downloaded CD cover images to 
identify each folder. 


e Copy music files from your hard 
drive to a portable music player, or 
use a CD-R/CD-RW drive to create 
custom CDs. 


“Figure 1-6. Use Windows Media Player 8 to 
copy tracks from music CDs to files on your 

hard disk. Then create custom playlists and 

copy the music to portable players and even 
custom CDs. 


Figure 1-6. Use Windows Media Player 8 to 
copy tracks from music CDs to files on your 
hard disk. Then create custom playlists and 
copy the music to portable players and even 
custom CDs. 


For detailed information about digital 
music features in Windows XP, see 


Chapter 17, “Using Windows Media 


Digital Pictures 


Thanks to digital cameras, you no longer have to 
pay for expensive film developing. Figure 1-7 
shows the Scanner And Camera Wizard, which 
does a superb job of connecting to newer digital 
cameras and flash memory cards so that you can 
quickly preview captured images and transfer 
them to your hard drive. By adjusting a few 
options, you can automate this process so that 
transferring digital images requires almost no 
extra effort from you. 


Managing a large collection of digital photos is 
easier, too, thanks to file viewing tools built into 
Windows Explorer. Figure 1-8 shows the new 
Filmstrip view of the My Pictures folder. Each 
image in the folder appears as a thumbnail along 
the bottom of the window, with the currently 
selected image visible in a much larger preview 
area that occupies the top of the folder window. 
You can also view the contents of a folder as a 
slide show. 


The My Pictures folder includes links to 
commercial services where you can order 
professionally printed copies of digital images. If 
you have a color printer, use the Photo Printing 
Wizard (shown in Figure 1-9) to crop and resize 
images; then use the layout tools to combine 
multiple images on a single sheet of paper. 


#“-Figure 1-7. The Scanner And Camera 
Wizard walks you through the process of 
transferring images from an external device 
to your hard disk. 


Figure 1-7. The Scanner And Camera 
Wizard walks you through the process of 


transferring images from an external device 
to your hard disk. 


“Figure 1-8. The new Filmstrip view 
combines thumbnails and a large Preview 
area to make it easy to quickly inspect the 
contents of a folder full of digital photos. 


Figure 1-8. The new Filmstrip view 
combines thumbnails and a large Preview 
area to make it easy to quickly inspect the 
contents of a folder full of digital photos. 


“Figure 1-9. The Photo Printing Wizard 
allows you to lay out multiple images ona 
single sheet, to avoid wasting expensive 
paper and other supplies. 


Figure 1-9. The Photo Printing Wizard allows 
you to lay out multiple images on a single 
sheet, to avoid wasting expensive paper and 
other supplies. 


To learn how to set up a digital camera 
or scanner and manage image files in 


Windows XP, see Chapter 18, 
“Organizing and Editing Images.” 


Digital Video 


If you have the correct hardware, Windows XP 
gives you access to a passable set of video 
playback and editing tools. 


e On any system equipped with a 
DVD drive and a compatible 
decoder (software or hardware), 
you can play back prerecorded DVD 
discs in Windows Media Player. This 
feature is especially useful for 
frequent travelers with Windows 
XP-equipped notebooks; skip the 
in-flight movie and watch a DVD 
from your own collection instead. 


e Use the Windows Movie Maker 
program to capture video from a 
cam-corder or VCR; then edit it and 
add titles, narration, and other 
effects. No one will confuse Movie 
Maker with a professional strength 
video editing package, but its 
capabilities are good enough for 
casual use. It’s particularly effective 
at compressing video clips down to 
sizes that can be sent easily via e- 
mail or posted on a Web page. 


Network Smarts 


Windows XP was designed from the ground up to 
work well on networks of all sizes. In most cases, 
setting up a simple home network is automatic. 


e Network Setup Wizard. Although 
you can choose to configure 
networking components manually, 
Windows XP automates most 
network configuration tasks with a 
simple straightforward wizard. Use 
the wizard to set up a simple home 
network, configure Internet 
Connection Sharing, create 
connections to dial-up Internet 
accounts, or connect to a corporate 
network over a virtual private 
network (VPN). 


Quickly fix connectivity problems 


Are you having trouble connecting to 
other computers on your local area 
network? If your network uses a 
hardware firewall that assigns IP 
addresses to each machine and you're 
certain you've configured all other 
components correctly, check to see 
whether the Internet Connection 
Firewall is enabled. That component 
can effectively block communication 
between PCs on the network. 


For step-by-step network setup 
instructions, see Chapter 29, “Setting 
Up a Small Network.” 


e Wireless access. Out of the box, 
both editions of Windows XP 
support wireless networks that 
follow the IEEE 802.11b standard, 
including Agere’s (formerly Lucent) 
Orinoco and Cisco’s Aironet 
systems. These solutions are 
appropriate in homes and small 
businesses where stringing 
Category 5 cable is impractical; 
they also allow notebook users to 
access public wireless systems such 
as those found in an increasing 
number of airports and coffee 
shops. 


e Remote Desktop connections. 
One of the coolest features in 
Windows XP Professional is its 
support for remote connections to 
another PC. When you allow remote 
connections (this feature is disabled 
by default), anyone with an 
authorized user account can log in 
to the machine over a local area 
network or across the Internet, 
using the dialog box shown in 
Figure 1-10. Use this feature to 
access your work PC from home 
(eliminating the need to keep files 
in sync between two PCs). Ona 
home network, you might use this 
feature to connect to a Windows XP 
Professional computer from another 
PC so that you can run an 
application without having to install 
it on the remote computer. 


“Figure 1-10. Using the 
Remote Desktop feature, you 
can connect to a Windows XP 
Professional machine from 
another PC, even if the remote 
computer is using an earlier 
Windows version. 


Figure 1-10. Using the 
Remote Desktop feature, you 
can connect to a Windows XP 
Professional machine from 
another PC, even if the remote 
computer is using an earlier 
Windows version. 


For full instructions on how to set up 
and use the Remote Desktop feature, 


see “Setting Up a Remote Desktop 
Connection to Another Computer.” 


Professional or Home Edition: What’s 
the Difference? 


To understand the differences between 
the two editions of Windows XP, 
remember this simple fact: Windows 
XP Professional contains everything 
included in Windows XP Home Edition 
and much more. 


The operating system kernel is 
identical in both editions. The Web 
browser works the same, as do all the 
file and folder management tools and 
techniques in Windows Explorer. Some 
default settings are different, 
depending on the edition in use; for 
instance, the taskbar is locked by 
default in Windows XP Home Edition 


but not in Professional. Regardless of 
which edition you use, you'll find most 
of the same system management 
utilities and troubleshooting tools, and 
there’s no difference in the bundled 
applications used to manage digital 
media. 


To discover the true differences 
between the two editions, you need to 
dig a little deeper. As Table 1-1 shows, 
most of the differences are obvious 
only when you use specialized 
hardware or try to access advanced 
security and networking features and 
capabilities. 


If you consider yourself a power user, 
we predict you'll prefer Windows XP 
Professional. But that doesn’t mean 
you need to upgrade every machine 
on your network. Windows XP Home 
Edition and Professional coexist 
happily on a network; in fact, both 
editions get along well with earlier 
Windows versions and even with 
computers running other operating 
systems. If you choose to use Home 
Edition, much of the information in 
this book is still relevant; in sections 
where we discuss advanced features 
available only in Windows XP 
Professional, we’ve highlighted that 
fact. 


Table 1-1. Key Features Available 
Only in Windows XP Professional 


Feature Description 


Feature 


Support for 
multiple 
processors 


Support for 
64-bit CPUs 


Description 


Windows XP 
Professional 
supports 
symmetric 
multiprocessor 
(SMP) designs 
that employ 
up to two 
CPUs. If you 
install 
Windows XP 
Home Edition 
on an SMP 
system, it will 
not use the 
second 
processor. 


Systems built 
around a 64- 
bit Intel 
Itanium 
processor 
must use a 
64-bit version 
of Windows 
XP 
Professional; 
the Home 
Edition is 
unable to 
work with this 
CPU. 


Feature 


Advanced 
security 
features 


Description 


Several 
sophisticated 
security 
capabilities 
are found only 
in Windows XP 
Professional, 
including 
support for 
Encrypting 
File System 
and Internet 
Protocol 
Security 
(IPSec) as 
well as the 
ability to 
assign 
complex 
access 
controls to 
files. 


Feature 


Internet 
Information 
Services 


Remote 
Desktop 
Connection 


Description 


Using 
Windows XP 
Professional 
Edition, you 
can set up a 
personal Web 
server using 
Internet 
Information 
Services (IIS) 
5; this 
capability is 
not available 
in Home 
Edition. 


Using this 
feature, you 
can configure 
a Windows XP 
Professional 
machine to 
allow remote 
access, either 
across a local 
area network 
or over the 
Internet. The 
client machine 
can be 
running any 
32-bit version 
of Windows, 
including 
Windows 
95/98/Me, 


Feature 


Description 


Windows 
2000, or any 
version of 
Windows XP. 
You cannot 
make a 
remote 
connection to 
a system 
running 
Windows XP 
Home Edition 
(although it 
does include 
the similar 
Remote 
Assistance 
feature, which 
allows a 
remote user 
to share the 
desktop for 
Support and 
training 
purposes). 


Feature 


Domain 
membership 


Description 


Ona 
corporate 
network, 
Windows XP 
Professional 
Edition can 
join a domain 
and take 
advantage of 
domain-based 
management 
features such 
as group 
policies and 
roaming 
profiles. A 
system 
running 
Windows XP 
Home Edition 
can access 
domain 
resources 
such as 
printers and 
servers, but it 
does not exist 
as an object 
in the domain. 


Feature 


Dynamic 
disks 


Description 


Windows XP 
Professional 
allows you to 
create disk 
volumes that 
span multiple 
hard drives; 
this capability 
allows you to 
increase the 
storage 
Capacity and 
performance 
of drives. 
Windows XP 
Home Edition 
supports only 
basic 
volumes, 
which follow 
the same 
basic 
partitioning 
rules as disk 


structures 
created in 
Windows 
95/98 and 
Windows Me. 


Microsoft Office XP Inside Out 
Chapter 1 


An Office XP Overview 
A Rundown on Office XP 


The Microsoft Office XP suite provides more 
applications and utility programs than ever 
before. Which ones you have depends upon which 
edition of Office XP you own or which individual 
Office applications you’ve obtained. This book 
covers all the major Office XP applications: 


e Microsoft Word (Part 3) 

e Microsoft Excel (Part 4) 

e Microsoft PowerPoint (Part 5) 
e Microsoft Outlook (Part 6) 

e Microsoft FrontPage (Part 7) 
e Microsoft Access (Part 8) 


e Microsoft Publisher (Part 9) 


The book also covers many of the valuable utility 
programs and add-ons that are included with 
Office XP (or are available on the Web) and that 
help you work with the main applications: 


e Office Shortcut Bar (Chapter 4) 


e newfeature! Clip Organizer 
(Chapter 6). See Figure 1-1. 


e Microsoft Graph (Chapter 6) 
e Microsoft Equation (Chapter 6) 


e Save My Settings Wizard (Chapter 
9) 


e Office Resource Kit, including the 
Custom Installation Wizard 
(Chapter 2) 


“-Figure 1-1. You can run the new Clip 
Organizer program in its own window, shown 
here, or through the new Insert Clip Art task 
pane. 


Even if you don’t have one or more of the 
applications covered in this book, you might want 
to read some of the information about these 
applications to help you decide whether to add an 
Office program to your software collection or 
whether you're better off using the applications 
you already have. 


Advantages of the Office XP Suite 


Obtaining and installing the Office XP application 
suite, rather than acquiring individual applications 
here and there, isn’t just a way to economize by 
buying programs “cheaper by the dozen.” The 
real advantages of a software suite such as Office 
XP lie in the common user interface and the 
application integration features. 


In Office XP, the individual applications share 
more common features than in any previous 
Office version. An obvious advantage of a 
common user interface is that once you learn one 
application, it’s much easier to learn another. 
Also, as you switch between applications, you 
won't have to switch working modes quite so 
radically. And, perhaps most important, a 
common user interface frees your focus from the 
individual applications and their idiosyncrasies 
and lets you concentrate on the documents 
you're creating. The following are examples of 
important common features in the Office XP 
Suite: 


e The menus, toolbars, shortcut keys, 
and the methods for customizing 
these features. 


e The common dialog boxes (notably, 
the Open and Save As dialog 
boxes), with shared features such 
as the Search command that now 
lets you find either files or Outlook 
items. 


e The task panes (described later in 
this chapter). See Figure 1-2. 


@ © Basic Search vX 


Search for: 


Search text: 


be 
Restore | 


(2) Search Tips... 
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Figure 1-2. The new Search 
task pane, which is available in 
most Office applications, lets 
you locate either disk files or 
Outlook items. 


e The methods for displaying and 
setting document properties. 


e The speech and handwriting 
interfaces. 


e The drawing features (Drawing 
toolbar, AutoShapes, Diagrams, 
WordArt, and others). See Figure 1- 
3. 
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Figure 1-3. The new Diagram 
Gallery dialog box lets you 
quickly insert a variety of 
ready-made conceptual 
drawings. 


The proofing tools (Spelling, 
Thesaurus, AutoCorrect, and 
others). 


e The help interface and the Detect 
And Repair command. 


The Visual Basic for Applications 
(VBA) programming features. 


The ability to store and share 
documents on SharePoint team 
Web sites. 


The Office XP applications are also more tightly 
integrated than ever. Application integration 
extends the usefulness of the individual 
applications. It lets you combine applications in a 
synergistic way to solve more complex problems 
and to easily accomplish otherwise difficult tasks. 
The following are examples of application 
integration features available in Office XP: 


The Office Shortcut Bar, as well as 
the New Office Document and Open 
Office Document commands on the 
Start menu in Windows, which let 
you create or open any type of 
Office document 


The ability of Office applications to 
import and export each other’s 
documents (using the Open and 
Save As dialog boxes, as well as 
special purpose commands for 
importing and exporting documents 
or data) 


The capability of using data stored 
in Outlook or Access when creating 
mail-merge documents in Word 


Commands for linking and 
embedding data from several Office 
applications in a single compound 
document 


VBA, the common programming 
language of the Office applications 
and the most powerful way to 
create solutions using multiple 
Office applications 


An Office XP Map 


If you’re not sure where to start with Office, you can use 
Table 1-1 to select the best Office application to use for 
creating the type of document you want or for 
performing the task you need to complete. 


For a more detailed rundown on an Office XP 
application, see the first chapter in the part 
of the book that covers that application. 


Table 1-1. The Best Office XP Application to Use for 
Performing Specific Tasks 


Office XP 
Application Task 
to Use 


Word e Create general printed 


or online documents of 
all kinds—for example, 
memos, letters, faxes, 
reports, contracts, 
résumés, manuals, 
theses, and books. 


e Enter and organize 
research notes, 
outlines, and other 
types of free-form text 
information. 


e Generate form letters, 
envelopes, labels, and 
other mail-merge 
documents (see Figure 
1-4). 


e Print individual labels 
and envelopes. 


e Create general- 
purpose, relatively 
simple Web pages, 


Office XP 
Application Task 
to Use 


Excel 


which can include 
almost any Word 
document element, 
plus movies, sounds, 
forms, frames, visual 
themes, navigation 
bars, and components 
for accessing 
information ona 
SharePoint team Web 
site. Use templates to 
create personal Web 
pages and other types 
of pages or use the 
Web Page Wizard to 
create simple Web 
sites. 


Save, organize, 
calculate, analyze, and 
chart numeric business 
or personal data in a 
spreadsheet (row and 
column) format. For 
example, balance 
checking accounts, 
prepare invoices, plan 
budgets, trackorders, 
or maintain general 
accounting ledgers. 


Store relatively simple 
text or numeric data in 
lists that organize the 
information into 
records (rows) and 
fields (columns)—for 
example, a product 


Office XP 
Application Task 
to Use 


inventory or 
descriptions of 
members of your ski 
racing team. Sort, find, 
filter, automatically fill, 
summarize, group, 
outline, or subtotal 
data. Display data in 
varying combinations 
using pivot tables or 
pivot charts. 


Publish static or 
interactive 
spreadsheets, charts, 
or pivot tables, for 
displaying numeric, 
text, or graphic 
information on the 
Web. Publish forms on 
the Web for collecting 
data in lists or other 
databases. 


Office XP 
Application Task 
to Use 


PowerPoint 


e Create multimedia 


presentations 
consisting of sets of 
slides to teach, sell, 
communicate, or 
persuade. Include text, 
graphics, animations, 
sound, and video in 
your presentations. 
Present multimedia 
information using 35 
mm slides, 
transparencies for 
overhead projectors, 
speaker notes, printed 
handouts, or live slide 
shows on a computer 
or computer projector. 


Publish presentations 
on the Web that consist 
of a series of 
multimedia slides 
displaying text, 
graphics, animations, 
sounds, or videos. 


Office XP 
Application Task 
to Use 


Outlook 


FrontPage 


Send, receive, and 
organize e-mail 
messages. Exchange 
instant Internet 
messages. 


Store and manage 
personal information 
(appointments, names 
and addresses, to-do 
lists, journal entries, or 
free-form notes). 


Communicate and 
coordinate with 
members of your 
workgroup (schedule 
meetings, manage 
group projects, and 
share information and 
files). 


Access files on local or 
network disks and 
explore Web sites. 


Publish snapshots of 
your calendar on the 
Web. 


Create entire Web sites 
using templates or 
wizards—such as a site 
for establishing a 
corporate presence, 
displaying personal 
information, conducting 
an online discussion, 


Office XP 
Application Task 
to Use 


managing a project, or 
accessing shared 
information stored on a 
SharePoint team Web 
site (see Figure 1-5). 
Use visual themes to 
apply consistent 
formatting to all pages 
in your site. 


Manage your Web site 
(maintain files and 
folders, display reports, 
create and update 
hyperlinks, track tasks, 
publish your site, or 
control the source in 
workgroups). 


Create a Web page 
quickly using a 
template or wizard (for 
example, a page 
containing a 
bibliography, a 
feedback form, ora 
table of contents). 


Create or edit a Web 
page using a full- 
featured HTML 
(Hypertext Markup 
Language) editor, which 
supports all standard 
Web page elements and 
provides ready-to-use 
Web-page components 
(date and time stamps, 
comments, hover 
buttons and other 


Office XP 
Application Task 
to Use 


Access 


dynamic effects, forms 
for searching the site, 
spreadsheets and 
charts, hit counters, 
galleries of photos, 
included files, link bars, 
tables of contents, site 
usage statistics, views 
of information stored 
on a SharePoint team 
Web site, and controls 
that display information 
from Web sites such as 
MSN). 


Store, organize, select, 
and present data ina 
relational database, 
which allows you to 
easily manage large 
amounts of complex or 
interrelated data and to 
divide data into 
separate, related tables 
to maximize storage 
efficiency. 


Publish an interactive 
form on an intranet 
that allows users to 
view or update 
information from a 
database. 


Office XP 
Application Task 
to Use 


Publisher 


e Use wizards to create 


brochures, flyers, 
signs, greeting cards, 
business cards, menus, 
catalogs, newsletters, 
and other relatively 
short documents that 
have precise page 
layouts integrating text 
and graphics. 


Create coordinated sets 
of publications 
(business cards, 
letterheads, envelopes, 
fax cover sheets, and 
SO on). 


Use wizards to create 
graphical Web pages. 
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personalize the letter that each person 
receives, 


Click Next to continue. 
Step 1 of 6 


$ Next: Starting document 


Figure 1-4. Word’s new Mail Merge task pane 
makes it easy to create and print form letters, 
envelopes, labels, and other mail-merge 


documents. 
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Figure 1-5. In FrontPage you can create a new 
team Web site on a Web server running SharePoint 
Team Services from Microsoft. This figure shows the 
home page of a newly created team site. 


What’s New in Office XP 


The following sections briefly describe many of 
the new features and enhancements found in 
Office XP. (Office XP has so many new features 
and enhancements that it would be difficult to list 
them all!) 


New Common Office XP Features 


Each of the following new features is available in 
most—or many—of the main Office XP 
applications. 


e Task panes In Office applications 
you can now carry out certain 
operations or choose selected 
options using a new alternative to a 
dialog box known as a task pane. A 
task pane is a Web-style command 
area that you can dock along the 
right or left edge of the window or 
float anywhere on the screen. Most 
Office applications provide the 
following common task panes: New 
Document (the name varies with 
the specific application), Clipboard, 
and Search. (For examples of task 
panes, see Figures 1-2 and 1-4.) 


e Search feature Office XP includes 
a new search feature that you can 
use to locate files on local disks, 
network drives, or Web sites or to 
find items in Outlook folders. You 
can run the search feature in the 
Search task pane (see Figure 1-2), 
or in a dialog box that you display 
from the Open or Open Office 
Document dialog box. 


e Document recovery Office XP 
provides many new features to help 
you recover your data in the event 
of a program crash. For example, 
Office applications attempt to save 


your document when a crash 
occurs, and, on restarting, provide 
a Document Recovery task pane to 
help you restore your document. 
Also, you can use the new Office 
Application Recovery utility to break 
into a hung application so it can 
save your data. And you can use 
the Open And Repair option in the 
Open dialog box to attempt to 
repair a corrupted document. 


Speech recognition In Office XP 
applications you can now dictate 
text rather than type it, and you 
can issue basic commands by 
speaking them rather than by using 
the mouse or keyboard. 


Handwriting interface Office XP 
applications now let you enter text 
into a document using an electronic 
tablet and pen or (with difficulty) 
an ordinary mouse. You can either 
insert handwritten characters (such 
as your signature), or you can have 
Office recognize your handwritten 
characters and convert them to 
regular text. 


Smart tags Office XP applications 
can now recognize a wide range of 
different data types entered into a 
document (such as names, dates, 
addresses, and stock ticker 
symbols). The application converts 
each recognized piece of data into a 
smart tag, and you can then use a 
menu attached to the smart tag to 


perform useful actions on that data, 
automatically invoking the required 
Windows program. 


AutoCorrect Options button 
After the Office AutoCorrect feature 
makes a change, you can modify 
the correction using the new 
AutoCorrect Options button. 


Paste Options button When you 
paste data into an Office XP 
document, a Paste Options button 
appears, allowing you to select the 
desired format of the pasted data 
and to switch among different 
formats to determine the one you 
want. 


XML (Extensible Markup 
Language) support Excel and 
Access 2002 can now import and 
export data from and to XML 
documents. Also, you can have 
FrontPage 2002 apply XML 
formatting rules when generating 
the HTML source for the Web pages 
you create. 


Diagrams In Office XP applications 
you can now get a head start in 
building a conceptual drawing— 
such as an organization chart or a 
Venn diagram—by inserting a 
ready-made Office diagram. (See 
Figure 1-3.) 


Windows in Taskbar option You 
can now display documents in top- 
level windows with buttons in the 


Windows Taskbar (as in Office 
2000), or you can display them in 
child windows within a single top- 
level application window without 
displaying a toolbar button for each 
document window (as in Office 97 
and earlier). 


New From Existing command 
You can now create a new 
document based on an existing 
document as an alternative to using 
a template. 


SharePoint access In Office XP 
applications you can now open or 
save documents stored on a 
SharePoint team Web site, you can 
participate in online discussions 
hosted by the site, and in some 
types of Office documents you can 
insert Web components that allow 
you to view and modify shared 
information stored on a team site. 
(A team Web site is hosted by a 
Web server that runs SharePoint 
Team Services, and it provides 
collaboration features that allow 
workgroups to share documents 
and exchange information. See 
Figure 1-5.) 


New Word Features 


e New formatting features Word 
2002 now saves and lets you 
reapply directly assigned formatting 
features as an alternative to using 
styles. In addition to character and 
paragraph styles, Word provides 
table and list styles for applying 
predefined formatting features to 
tables and to multilevel lists. To find 
out what formatting and style (or 
styles) have been applied to 
characters in your document, you 
can use the new Reveal Formatting 
task pane. To remove all formatting 
from text, you can use the new 
Clear Formatting command. To find 
text that’s inconsistently formatted 
with the rest of the document, you 
can use Word’s new formatting 
consistency checker. To select all 
text that has the same style or 
saved format as the current 
selection, you can use the new 
Select All command. And you can 
simultaneously select multiple 
blocks of text or graphics in a 
document so that you can format or 
edit all of them at once. 


e Change tracking The change 
tracking feature has been 
completely revamped—for example, 
you can have Word mark changes 
using margin balloons without 
disturbing the line and page breaks 
in the document. 


Comments In Word 2002, 
comments have also been 
extensively redesigned—for 
instance, you can have Word 
display comment text in margin 
balloons, making it easy to insert, 
view, or edit the comment text. 


Document security Document 
security has been enhanced—for 
example, the Options dialog box 
provides a new Security tab, and 
you can attach a digital signature to 
a document. 


Document statistics You can 
display the number of words, 
characters, lines, pages, or 
paragraphs in the current document 
using the new Word Count toolbar. 


Text translation You can use 
Word’s new Translate task pane to 
translate into a different language 
either a word, or—by means of a 
translation service on the Web—a 
phrase, a block of text, or an entire 
document. 


Watermarks Word's new Printed 
Watermark command makes it easy 
to add a document watermark, 
which consists of faint text or 
graphics displayed across every 
page in the document or ina 
document section. 


Booklet printing Word provides 
new page setup and printing 


options that make it easy to directly 
print a booklet or even a book. 


Mail Merge Wizard Word's new 
Mail Merge Wizard, which runs in 
the Mail Merge task pane, makes it 
easy to create form letters, 
envelopes, labels and other mail- 
merge documents. (See Figure 1- 
4.) 


New Web page formats Word 
now lets you save a Web page in 
the Web Archive (*.mht, *.mhtml) 
format, which saves everything ina 
single Web archive file. You can also 
filter a Web page when you Save it, 
which generates a smaller and 
“cleaner” HTML file by preserving 
only the essential document 
information (but with the possible 
loss of document features). 


New Excel Features 


e Unlocking data A number of new 
tools make it easier to find, 
analyze, and publish data 
associated with worksheets in Excel 
2002. Web queries make it easier 
to link to data on the Web. Web 
Page AutoRepublish automatically 
keeps Web pages in sync every 
time you save your document. Copy 
Paste Web Query automatically 
links to data on the Web when you 
paste it from a Web page. Import 
Data allows you to easily find and 
share data sources. 


e Improved pivot tables Pivot 
tables have been improved with 
drop-down menus and other user 
interface enhancements. The 
automatic GetPivotData formula 
streamlines the analysis of pivot 
table data. 


e Access to more data Excel 2002 
works with more data types, 
including common data sources on 
the Web. XML is supported as a 
data interchange format, and 
worksheets can be linked directly to 
XML data on the Web. The new 
real-time data (RTD) function 
brings real-time data into Excel for 
analysis. 


e Command and feature 
enhancements Numerous menu 
command and product feature 


enhancements make Excel even 
easier to use in fundamental areas, 
including link management, Find 
and Replace searches, hyperlink 
navigation, sorting, drawing 
borders, inserting international 
number formats, editing cells 
vertically, error checking, and 
customizing headers and footers 
with graphics and additional 
information. The IntelliPrint feature 
eliminates the printing of blank 
pages, an enhancement designed 
to conserve your printing and paper 
resources. 


New PowerPoint Features 


e Collaboration Several tools make 
it easier to edit and review 
PowerPoint 2002 presentations in 
workgroup environments. You can 
now Save presentations with 
password protection, so that 
reviewers can view presentations in 
PowerPoint but not edit or save 
them. Web broadcasting is now 
easier to use. Authors can now 
attach digital signatures to their 
presentations to increase security 
and reviewer confidence. 
Presentation review cycles in 
workgroups have been made easier 
through routing and reconciliation 
features, which manage change 
requests from multiple reviewers. 
Comments have been revised so 
that in addition to allowing 
reviewers the chance to insert 
“hidden” notes in presentations, 
they can be compared to one 
another, merged together, and 
printed in a new way. 


e Animation You can now apply a 
combination of animation and 
transition schemes to your whole 
presentation at once—a significant 
time saver. New slide transition 
effects include Comb, Fade 
Smoothly, Newsflash, Push, Shape, 
Wedge, and Wheel. Custom 
animation effects are easier and 
more impressive now that 


PowerPoint lets you control exit 
animations, path animations, and 
timed/simultaneous animations. 


Everyday tasks made easy The 
Copy and Paste commands are 
better able to handle inserting 
different content types and a larger 
volume of information. Print 
Preview allows you to determine 
how a presentation prints and lets 
you make fine-tuning adjustments. 
Slide formatting is easier with “one- 
click” formatting. You can apply 
more than one design template to 
the same presentation. Thumbnail 
views of your slides are now 
available in Normal View. 


New Outlook Features 


Single configuration Outlook 
2002 no longer has the separate 
Corporate Or Workgroup and 
Internet Only configurations. The 
features of both these 
configurations are combined in a 
unified configuration. 


Enhanced Preview pane If you 
select an item in the Calendar, 
Contacts, or Journal folder, the 
Preview pane now displays the item 
within its form (that is, within the 
form used to display the item when 
you open it). 


Outlook item search You can 
search for Outlook items, as well as 
disk files, by using the new Search 
task pane in Office applications. 
(See Figure 1-2.) 


Account groups If you have more 
than one e-mail account, you can 
now set up account groups to 
control exactly which accounts 
Outlook uses to send and receive e- 
mail when you initiate a send and 
receive operation and also to have 
Outlook automatically send and 
receive e-mail at fixed intervals 
using specific accounts. 


Easier management of e-mail 
headers Outlook provides an 
easier interface for downloading 
and screening e-mail message 


headers before you download the 
full content of your messages. 


Mailbox Cleanup You can use the 
new Mailbox Cleanup dialog box to 
weed out messages when your 

Inbox starts growing out of control. 


Appointment color coding You 
can now tag your appointments 
using colors—for example, red for 
an important appointment, blue for 
a business appointment, green for 
a personal appointment, and so on. 


Alternative meeting times When 
you use Outlook to plan a meeting, 
an attendee can now reply by 
proposing a new meeting time, 
rather than simply accepting or 
declining the invitation. 


Enhanced meeting planner You 
can now consult the meeting 
planner whenever the Calendar 
folder is open, without actually 
scheduling a meeting. 


Unified Reminders dialog box All 
pending appointment reminders are 
now displayed in a single 
Reminders dialog box, so you don’t 
have to view and close a separate 
dialog box for each one. 


Instant Messaging You can now 
use Instant Messaging to 
communicate from Outlook in real 
time. 


e Address Bar You can use the new 
Address Bar to explore Web pages 
within the Outlook window. 


New FrontPage Features 


e Customization of SharePoint 
Web sites You can now create or 
customize a SharePoint team Web 
site. You can add new custom 
document libraries, surveys, and 
other types of lists to a team site. 
You can view team site usage 
statistics. You can add a Document 
Library View or List View Web 
component to a page, which allows 
you to view the contents of a 
document library or a list on a team 
site. And you can create a custom 
form for adding, editing, or 
displaying items in a document 
library or other type of team site 
list. (See Figure 1-5.) 


e Navigation pane You can view a 
web’s navigation structure in Page 
view by opening the new Navigation 
pane. 


e Report publishing You can now 
copy a web report to a Web page, 
so that you can publish the report 
on the Web. 


e Enhanced Web publishing The 
Web publishing feature has been 
completely revamped. For instance, 
you can publish individual files that 
belong to a web. And when you 
publish, the Web Publish dialog box 
letsyou select exactly which files to 
publish and enables you to manage 
files in the local web as well as files 


on the destination server (you can 
cut, copy, paste, rename, or delete 
files, or copy files between the 
source and the destination). 


e Tabs in Page view You can now 
quickly switch between pages 
opened in Page view by clicking the 
tabs at the top of the window. 


e Language formatting You can 
now mark foreign text contained in 
a Web page so that Outlook uses 
the correct dictionary for checking 
its spelling and looking up 
synonyms. 


e Added graphics features You can 
now quickly add and arrange a 
collection of images by inserting a 
Photo Gallery Web component. You 
can create drawings within 
FrontPage using AutoShapes and 
the Drawing toolbar. And you can 
add decorative text by inserting a 
WordArt object. 


e Automatic table fill If you’ve 
added text to one table cell, you 
can now have FrontPage 
automatically copy that text to 
other cells. 


e Enhanced shared borders You 
can now assign a separate 
background color or picture to an 
individual shared border as well as 
to the main part of a page. 


e Collapsible outlines You can now 
convert a simple list to a multilevel 


outline that the page visitor can 
collapse or expand. 


Inline frames As an alternative to 
creating a frames page to view 
multiple pages, you can now insert 
an inline frame, which is a 
rectangular element that displays 
another page and lets you scroll 
through it. 


New Web components FrontPage 
provides new Web components, 
including new types of custom link 
bars, components that let you 
display information from the MSN 
or MSNBC Web sites, and 
components for SharePoint team 
Web sites (mentioned previously in 
this list). You can also download 
additional Web components from 
the Web. 


New Access Features 


New database format Access 
2002 provides a new database file 
format that offers better 
performance for larger databases. 
You can open and save databases in 
either the old format or the new 
one, and you can easily convert 
databases between formats. 


Enhanced spelling checker You 
can modify the way the spelling 
checker works by using the new 
Spelling tab in the Options dialog 
box. 


Convert objects to data access 
pages You can now convert a table, 
query, form, or report to a data 
access page. 


XML support You can now import 
or export data from or to XML 
documents. 


New Publisher Features 


e Prepress preparation Publisher 
2002 offers enhanced commercial 
printing functionality, including 
support for up to 12 “spot colors” in 
a single publication and the ability 
to combine process and spot colors 
in the same publication. Publisher 
also includes a new version of the 
EPS (Encapsulated PostScript) filter, 
which provides improved handling 
and previews of text, as well as 
improved handling of named colors 
to properly separate EPS graphics 
in spot-color publications. 


e Common features and 
improvements Font schemes 
make it easy to give your 
publication a new look. Choose one 
of 25 coordinated font sets, and it 
will be consistently applied to your 
publication. Publisher now makes it 
easy to prepare Word documents 
with great-looking professional 
designs by using the Word Import 
Wizard. Fifteen new Design Sets 
aimed at producing streamlined, 
professional-quality business 
publications have been added to 
Publisher. Many Publisher features— 
wizards, designs, and color 
schemes—have been redesigned for 
easy access in the task pane. 
Publisher includes a style inspector 
that describes the properties of the 
current style, allowing you to make 


better use of styles. Now you can 
save and open documents in HTML 
file format. The new mail-merge 
feature in Publisher is more like 
mail merge in Word, making it 
easier to use. 


Drawing tool Publisher 2002 uses 
the same drawing tools, including 
AutoShapes, used by other Office 
applications. You can now move 
objects inline with text in text 
frames. Once moved inline, 
graphics flow with text in frames. 
Publisher now supports cyan- 
magenta-yellow-black (CMYK) TIFFs 
internally. You’re no longer required 
to link to externally stored TIFFs. 
Publisher can separate vector and 
bitmap red-green-blue (RGB) 
images. Publisher supports print 
previews of the current publication, 
using the characteristics of the 
current printer to render the 
preview. If you’re using either 
process or spot color, print preview 
can display both a composite 
preview and previews of individual 
ink plates. Printing is easier now 
that the Print Setup and Page Setup 
dialog boxes have been merged 
into a single dialog box. 


International support Publisher 
2002 now includes support for 
complex scripts and bidirectional 
languages, such as Arabic and 
Hebrew. Publisher uses Office 
“word-breaking” technology to 


detect word breaks in Japanese and 
Chinese text for easy selection and 
editing of your text. Publisher now 
supports the Office Language 
Settings tool to let users enable 
language-specific editing features 
and the language used in online 
Help. 


Microsoft FrontPage Inside Out 


Chapter 35 


Using SharePoint Team Web 
Sites 


If you install SharePoint Team Services on your 
Web server, workgroups throughout your 
organization can use SharePoint team Web sites 
to coordinate their work. Team Web sites help 
people work together by providing an easy-to-use 
repository of project documents, discussions, and 
lists of virtually anything the project needs to 
record. 


Lists are central to the operation of a SharePoint 
team Web site. Physically, a list is just a database 
table. But the power of lists comes from the fact 
that you can create them, update them, display 
them, and if necessary delete them using 
standard Web pages that team members can 
quickly learn to use. 


SharePoint team Web sites provide the following 
services to anyone with a Web browser, 
connectivity to your server, and the necessary 
permissions: 


e Document Libraries. A SharePoint 
team Web site document library has 
two components: a folder full of 
documents and a list that describes 
them. You can search for 
documents using either the 
document content itself or the data 
in the list: 


e Web Discussions. 
After an Office 2000 
or Office XP user 
saves a document to 


a Web server as HTML 
(and recall: this is an 
integrated, one-step 
process), Web visitors 
browsing that 
document can make 
comments using a 
discussion toolbar. 
SharePoint Team 
Services stores these 
comments separately 
from the document 
itself. Then, when the 
document creator 
opens the document, 
all the comments 
appear seamlessly 
merged. 


e Search page. This 
feature uses Microsoft 
Indexing Service to 
search for documents 
within the current 
SharePoint team Web 
site. 


The clients for these features are 
either a browser (for the Web- 
based tasks) or standard Office 
applications (for document creation 
and retrieval). 


Discussion Boards. This is the 
sort of feature most people call a 
threaded discussion group. Within a 
team Web site, you can create as 
many Discussion Boards as you 
like, and each board can 


accommodate an almost unlimited 
number of threads and messages. 
You can sort and present the 
messages any way you like, and 
purge old messages automatically. 


Lists. These are the basic unit of 
storage in a SharePoint team Web 
site. They can contain a list of 
announcements, a list of upcoming 
events, a list of scheduled tasks, a 
list of team members or contacts, a 
list of excuses, or anything else you 
like. The number of lists and the 
fields they contain are totally at 
your discretion. 


Subscriptions. With this feature, 
team members can ask to be 
notified whenever a specified 
document or folder changes. 
SharePoint Team Services detects 
such changes and sends the 
notifications by e-mail. 


Administration. This Web-based 
tool provides control over the 
preceding applications. 


Creating a New SharePoint Team 
Web Site 


SharePoint Team Services runs on Microsoft Windows 
2000 computers with Microsoft Internet Information 
Services (IIS) 5.0 installed. SharePoint Team Services is 
a server-based application, so installing it requires 
Administrator privileges on the target machine. At a high 
level, here are the tasks required: 


1. Install Windows 2000 Professional, 
Windows 2000 Server, or any later 
version. 


Although Windows 2000 
Professional will run SharePoint 
Team Services, Microsoft 
intends this as a development 
platform. Windows 2000 
Professional isn’t licensed for 
use as a widely accessible Web 
server. 


2. Install IIS. 


For more information about 
installing IIS, refer to Chapter 


37, “Installing and Configuring 
a Web Server.” 


3. Install SharePoint Team Services by 
running \sharept\setupse.exe from your 
Office XP CD, or by downloading it from 
Microsoft’s Web site at 
http://www.microsoft.com/servers and 
following the accompanying instructions. 


As always, it’s generally best to upgrade Windows 2000 
and IIS to the latest release or service pack, and to 
install the most up-to-date release of SharePoint Team 
Services. For information about using SharePoint Team 
Services on other operating systems, monitor Microsoft’s 
Web site. 


Installing SharePoint Team Services installs the following 
items: 


e SharePoint team Web site application 
components. These include Web pages, 
ASP pages, ActiveX controls, and so forth. 


e Microsoft FrontPage Server 
Extensions 2002. If the Web server 
already contains an earlier version of the 
extensions, installing SharePoint Team 
Services will upgrade them. 


e Microsoft Data Engine (MSDE). This is 
essentially a version of Microsoft SQL 
Server, but it lacks the tools you need to 
design and manage your own databases. 
If you already have a copy of SQL Server 
running on your network, SharePoint Team 
Services can use that installation rather 
than MSDE. 


Installing SharePoint Team Services also installs a team 
Web site in the Web server’s root folder. If the server 
already contains a home page, the setup program will 
prompt you before replacing it with the team Web site’s 
home page. If you choose not to replace the existing 
home page, Setup saves the team Web site’s home page 
using a different name. 


If your computer has only one virtual Web server, 
installing SharePoint Team Services adds the FrontPage 
Server Extensions and other SharePoint Team Services 
features to that server automatically. Otherwise, 
SharePoint Team Services Setup asks you which servers 
to extend. After you install SharePoint Team Services, 
you can install it on or remove it at will from any virtual 
server on the same system. 


For more information about installing and 
removing the FrontPage Server extensions on 


individual virtual servers, refer to Chapter 38, 
“Understanding the FrontPage Server 
Extensions.” 


Microsoft designed SharePoint team Web sites for use by 
as many as 500 to 600 people who work together as a 
group (such as a department or project). The optimal 
number of users is smaller. If you have a lot of people, 
you probably have a lot of departments or projects, and 
you should generally create a separate team Web site 
for each one. Fortunately, a single Web server can host 
any number of SharePoint team Web sites. 


For more information about creating 


SharePoint team Web sites, refer to “Creating 
a SharePoint Team Web Site.” 


Figure 35-1 illustrates the home page for a typical 
SharePoint team Web site located in the Web server’s 
root folder. Additional team Web sites on the same 
server would, of course, have folder paths in their URLs: 


e The menu bar at the top of the page 
provides access to all features in the site. 


e The Quick Launch area at the left provides 
hyperlinks to whatever high-usage 
features you select. 


e The Search Documents text box and 
accompanying Go button search all 
documents libraries for a given string of 
text. 


e The Announcements and Events areas 
provide links to the Announcements and 
Events lists and display recent additions to 
those lists. 


e The Links area provides hyperlinks that 
team members might frequently use. This 
data resides in a list called, logically 
enough, Links. 
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Figure 35-1. The home page for a SharePoint team 
Web site is highly configurable, but this version is 
fairly typical for a new site. 


In general, it’s best to block anonymous access to 
SharePoint team Web sites. Otherwise, the Web server 
won't prompt team members for usernames and 
passwords, and none of the data in the team Web site 
will be identified by team member. 


For more information about controlling access 
to team Web sites, refer to “Administering 


SharePoint Team Web Site Settings” later in 
this chapter. 


Using Document Libraries 


Click Documents on the SharePoint team Web site menu bar to 
display the Document Libraries page shown in Figure 35-2. This 
page displays an icon representing each document library in the 
current team Web site. The one library shown in the figure— 
Shared Documents—appears automatically in every new team 
Web site, but you can create as many document libraries as you 
want. The New Document Library link jumps to a New page that 
creates new libraries, as do various other links located 
conveniently throughout the team Web site. 


A Document Libraries - Microsoft Internet Explorer 
| File Edit View Favorites Tools Help 
| Back ~ > ~ & A A) | Seach [Favorites {4 History [EN E] -E 


| Address [Æ] http://127.0.0.1/_layouts/AllLibs.htm 


ij Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Document Libraries 


Use this page to go to a document library and read or edit the documents that are stored there. To 
create a new document library, click "New Document Library" below. 
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Share a document with the team by adding it to 
this document library. 
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Figure 35-2. This page provides a selection list of 
SharePoint team Web site document libraries. The one 
library shown here appears by default in every new team 
Web site. 


How Document Libraries Work 


SharePoint team Web site document libraries have 
three major components: 


e A folder named Shared Documents, 
where all the documents reside. 


e A database table—stored in MSDE—that 
records additional information about 
each document in the library. 


e A series of Web pages that update the 
document library, perform queries 


against it, and so forth. 


Adding a document to the library requires updating 
two of these components in unison: the Shared 
Documents folder and the database table. That’s why 
you should always update team Web site document 
libraries through the Web pages provided, or directly 
from Office XP using Web Folders (or, on Windows 
2000, an HTTP location in My Network Places). 


Click the icon for any library, or click the Shared Documents link, 
to display a Document Library View page like the one in Figure 
35-3. This page lists the documents in the library. 
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Figure 35-3. Click a library name or icon in a Document 
Libraries page (Figure 35-2), or click the Shared Documents 
link, to display a list of documents like this. 


Here are its notable features: 


e Main Document Area. This is the large area with 
a white background that appears in the center of 
the Web page. It lists all the documents in the 
current library. To sort this listing on any field, click 
the field’s column heading. (That is, click File 
Name, Last Modified, or Modified By.) 


e Select A View. This area in the top left corner 
selects among all available formats for listing 
documents in the library. By default, there are two 
such formats: 


e All Documents. Displays one line of 
text for each document in the library. 
Figure 35-3 illustrates this format. 


e Folder View. Displays one icon for 
each file or folder in the library. The 
icons appear from left to right across 
the available display area, then wrap 
to the next line. 


To create additional views, click the Modify Settings 
And Columns link to display a Customization page, 
and then click the Create A New View link at the 
bottom of the page. 


Search Documents. This area appears just below 
the Select A View area. To locate documents that 
contain a given word or phrase. Enter the text in 
the box provided, and click Go. 


New Document. Click this link to begin editing a 
new document you plan to store in the current 
library. If the library specifies a template, the Web 
page downloads it, starts the appropriate editor, 
and specifies the current library as the default save 
location. If the library has no defined template, the 
Web page starts Microsoft Word. 


When saving documents into a 
SharePoint team Web site library (or 
saving them to disk in preparation for 
upload to a team Web site library), it’s 
usually best to save them in HTML 
format. That way, other team members 
can view and annotate the document 
directly in their browsers. If you save or 
upload a non-HTML document in its 
native format, other team members will 
have to download the document, open it 
with another program, and then upload 


it again if they've made any changes. 
Upload Document. Click this link to display an 


Upload Document page that uploads a document 
from your computer and adds it to the library. 


Filter. Click this link to limit the list of documents 
based on criteria you specify. The team Web site 
redisplays the current Web pages, adding selection 
controls above each selectable column heading. 


e Subscribe. Click this link to display a New 
Subscription page. This page tells SharePoint Team 
Services to send you an e-mail message whenever 
someone changes the contents of a document or 
folder within the library. 


Subscription is a pervasive feature. You 
can subscribe to receive change 
notifications regarding almost any 
aspect of a team Web site. 


e Modify Settings And Columns. Click this link to 
display a Customization page that modifies the 
name of library, its assigned template, its presence 
or absence on the quick launch bar, and so forth. 


Significantly, clicking this link also provides options 
that add or remove columns (that is, fields) from 
the document listing. You can use these extra 
columns to record anything you want about the 
documents in the library, and then to sort or filter 
documents on that basis. For example, you could 
add fields to record the: 


e Name of the product that the 
document describes. 


e Product version. 
e Document version. 


e Contract or customer for whom you 
created the document. 


Troubleshooting 


Team Web Site document search displays 
message, “Service is not running” 


When using a Team Web Site, entering a search 
phrase in a Search Documents box and clicking Go 
might result in the following message: 


Service is not running. 


This message appears if Microsoft Indexing Service 
isn’t running on the Web server where the Team Web 
Site resides. To start this service: 


1. Choose Programs from the Windows 
Start menu. 


2. Choose Computer Management from the 
Administrative Tools menu. 


3. By default, the Computer Management 
application manages the local computer. 
To control Indexing Service on a 
different computer, right-click Computer 
Management (Local), choose Connect To 
Another Computer, select the name of 
the server where the Team Web Site 
resides, and click OK. 


4. Expand the Services And Applications 
entry. 


5. Right-click the Indexing Service entry, 
and then choose Start from the shortcut 
menu. Click Yes when prompted to start 
Indexing Service. (If no Indexing 
Service entry appears, Microsoft 
Indexing Service isn’t installed on the 
computer. The topic “Installing IIS on 
Windows 2000” in Chapter 37 explains 
how to install Indexing Service. ) 


6. Click the Indexing Service entry once, 
and observe the display in the right 
pane of the Computer Management 
window. This display contains one line 
for each Indexing Service catalog. Here 
are your options: 


e If none of the catalogs 
include your Web server’s 
root folder, right-click 
Indexing Service, choose 
New from the shortcut 
menu, and then choose 
Catalog. In the Name field, 
give the catalog a name 
that relates it to your Web 
server. In the Location 
field, specify the physical 
location of your Web 
server's root folder. Finally, 
click OK. 


If a suitable catalog 
already exists, observe the 
Total Docs and Docs To 
Index columns in the 
Computer Management 
window’s right pane. When 


Total Docs is not zero and 
Docs to Index is zero, 
Indexing Service has 
finished analyzing your 
Web server. 


7. Try rerunning the Team Web Site search. 
If you still get the same error message, 
try stopping and restarting IIS. If the 
search still fails, try rebooting the 


server. 


Each line in the main document area of a Document Library View 
page (Figure 35-3) contains the following clickable areas: 


e File Name. Click any file name (or its icon) to open 
the file for viewing. If the file is a type that the 
browser can display, the browser displays it. 
Otherwise, the browser treats it as a download and 
starts the application on your computer that’s 
associated with the file type. 


e Edit. Click this icon to display an Edit Item page 
that updates the corresponding file or any 
information that describes it. 


Modified By. Click any name in this column to 
display a Personal Settings page that displays 
information about that team member. 


Click any Edit icon in the Document Library View page to display 
the Edit Item Form page shown in Figure 35-4. 


3 Edit Item Form - Microsoft Internet Explorer olx] 


| Eile Eee Favorites Tools Help [ = | 
| Back ~ > - @ A A| GSearch Favorites {Histon | E4~ Sp O ~ |S] 
| Address 


Fa ments/Forms/EditForm.htm?ID=3&Source=http%3a%2%2} 27%2e0%2e0%2e1%2fShared%2520Documents%2fForms%2fAlltems%2ehtm ¥ P Go 


i; Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Shared Documents: deliverables! vew 


=] Save and Close | X Delete | 2 Send For Review | E| Discuss | LSI] Edit in Microsoft FrontPage | Go back to d 


e Name * [deliverables „htm 


Title [list of Deliverables 


*indicates a required field 


0/2001 9:38 PM by Jim Buyens 


Pi 


Zi 


lið Intemet 


Figure 35-4. This SharePoint team Web site page displays a 
list of document properties you can edit. 


This form provides the following capabilities: 


e Save And Close. Click this link to save any 
changes you've made and return to the document 
library listing. 


e Delete. Click this link to delete the current 
document from the library. 


e Send For Review. Click this link to send e-mail to 
anyone you specify, asking that person to review 
the current library document. 


e Discuss. Click this link to open the current 
document for review and annotation. 


e Edit In <application>. Click this link to start the 
application associated with the current document 
and tell it to load the document from the Web 
server. 


e Go Back To Document Library. Click this link to 
abandon any changes you’ve made and return to 
the document library listing. 


e Document Information Fields. The central 
portion of the form contains form elements for all 
the editable fields that describe the document. To 


change any of this data, update the corresponding 
field and then click Save And Close. 


With two exceptions, these options are relatively straightforward. 
The exceptions involve the options Discuss and Send For Review 
(which uses Discuss). 


Using Web Discussions 


The Discuss option is what most Office applications call Web 
Discussions. Despite the similarity in names, it has nothing to do 
with SharePoint team Web site Discussion Groups. Web 
Discussions provide a way to add yellow “sticky notes” to a 
document and to share those notes with others—all without 
actually updating the document itself. This is possible because 
the “sticky note” information resides in a database on a so-called 
discussion server. This can be any SQL Server or MSDE database 
that services a team Web site. 


This is a very useful approach, because several people can review 
and annotate the same document simultaneously, and then the 
document owner can see all their suggestions merged together. 
There are no concerns about someone accidentally updating the 
document itself, because no one can update the document at all. 


One of three things can happen when you click the Discuss link 
on the Edit Item Form page: 


e If Microsoft Internet Explorer isn’t configured to use 
a discussion server, it displays the dialog box shown 
in Figure 35-5 asking whether you'd like to specify 
one. 


Microsoft Internet Explorer 


\?) You must specify a discussion server in order to use the discussions feature. Would you like to specify one now? 


Figure 35-5. Discussing a document requires 
access to a discussion server that stores any 
comments you make. If Internet Explorer 
doesn’t know the name of the discussion 
server, it displays this prompt. 


e If the document is in HTML format, reviewers can 
view the document and add their sticky notes using 
nothing but a Web browser. This mode of operation 
integrates perfectly with other SharePoint team 
Web site features, and it’s a very good reason to 
save all documents in a team Web site in HTML 
format. 


e If the document isn’t in HTML format, reviewers 
must download the document into the Office 
application that created it, choose Online 
Collaboration from the Tools menu, and possibly 
specify a discussion server by hand. 


The Save As Web Page option in most Office 
applications saves all the properties and features that 
saving in the native application format does. That is, 
saving and opening a document in HTML format 
provides all the same features as saving and opening 
a document in .doc, .x/s, or .ppt format. 


Figure 35-6 shows Internet Explorer accepting discussion 
comments for a document. The Web visitor: 


1. Displayed the Document Library View form shown 
in Figure 35-3. 


2. Clicked the Edit icon for the deliverables file. This 
displayed the Edit Item Form page shown in Figure 
35-4. 


3. Clicked the Discuss icon in the Edit Item Form 
page, and then displayed the Enter Discussion Text 


dialog box. 
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Figure 35-6. The sticky note icons show where you can 
append comments to the document. Click one to display the 
Enter Discussion Text dialog box. 


Click the Discuss icon to immediately display the Discussion bar 
shown at the bottom of Figure 35-6. (In Internet Explorer 5.5 or 
later, you might need to choose Explorer Bar from the View 
menu, and then choose Discuss.) The same command hides the 
Discussion bar if it’s already on display. Here’s how to use the 
buttons on this bar (note that these buttons will be available or 
unavailable depending on the type of document): 


e Discussions. Click this button to display a menu 
containing the following options: 


e Insert In The Document. Choose 
this command to display or hide all 
possible locations for inline sticky 
notes (those that appear inline with 
the document text). There’s basically 
one sticky note location per 
paragraph. To add text to a new or 
existing sticky note, click it. 


Insert About The Document. 
Choose this command to display an 
Enter Discussion Text dialog box 
where you can enter discussion 
comments about the document in 
general. 


Refresh Discussions. Choose this 
command to retrieve a current set of 
discussion comments from the 
discussion server. Your display will 
then reflect changes other visitors 
might have made after you first 
displayed the page. 


e Filter Discussions. Choose this 
command to display discussion 
comments from only a certain 
participant, or within a certain time 
span. 


e Print Discussions. Choose this 
command to print the discussion 
comments. 


e Discussion Options. Choose this 
command to select the discussion 
server and the discussion fields to 
display. 


To host discussions on one server about 
documents on another, first open the 
document and then, on the Discussions 
toolbar, choose Discussion Options from 
the Discussions drop-down list. Finally, 
select the server that records discussion 
items from the Select A Discussion 
Server drop-down list. 


e Insert Discussion In The Document. Click this 
button to perform the same function as the Insert 
In The Document menu command just described. 


e Insert Discussion About The Document. Click 
this button to perform the same function as the 
Insert About The Document menu command just 
described. 


e Expand All Discussions. Click this button to 
display the title, text, and all other fields for each 
discussion comment. 


Collapse All Discussions. Click this button to hide 
the contents of all discussion comments. A sticky 
note with a plus icon appears in place of each 
comment. To expand a particular comment, click 
the plus icon. 


e Show General Discussions. Click this button to 
display all general (non-inline) discussion 
comments made about an HTML document. 


e Previous. Click this button to display the previous 
discussion comment. 


e Next. Click this button to display the next 
discussion comment. 


e Subscribe. Click this button if you want to get an 
e-mail notification whenever someone updates 
either the current document or any document in 
the same folder. 


e Stop Communication With Discussion Server. 
Click this button if you want to disconnect an HTML 
document from the discussion server. 


e Show/Hide Discussion Pane. Click this toggle 
button to display or hide the discussion pane. 


e Close. Click this button to close the Web 
discussion. 


e Reply With Changes. Composes an e-mail 
message to the originator of a document, informing 
that person that you’ve added discussion comments 
to it. 


Discussion text also appears—in almost identical format—when 
the original user opens the HTML file in Word. In fact, all 
discussion text from all users is merged seamlessly into place. (If 


no discussions appear, choose Online Collaboration from the Tools 
menu, and make sure the correct discussion server is specified.) 


Using Subscriptions 


Click any Subscribe link on a SharePoint team Web site 
page (such as the Document Library View page shown in 
Figure 35-3) to display the New Subscription page 
shown in Figure 35-7. To display the Document 
Subscription dialog box shown in Figure 35-8, click 
Subscribe on the Discussion bar. Both this dialog box 
and the New Subscription page serve the same function: 
you can subscribe to change notices on the current 
document or on any document in a specified folder 
(subject to filters); set notification criteria; specify your 
e-mail address; and indicate how long SharePoint Team 
Services should accumulate changes before sending 
them. 


Figure 35-9 shows a typical change notification 
message. Although the message in the figure provides 
only one notification, a single message can report 
multiple changes. 
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i; Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
New Subscription 


Use this page to be notified of changes to this Web site, 


Add Subscription Subscribe to: 


Subscribe to be notified by e-mail when items in a list [Shared Documents =] 


change. 
? Notify me when: 


[anything changes z] 


E-mail address: 


[buyensj@interlacken.com 


(for example, 
someone@microsoft.com) 


Time: 


[once a day z] 


x | Discussions * | %7) J EJ T | subscribe... | H| 
E mso:2000 


Figure 35-7. This Web page subscribes an e-mail 
user to change notifications for a given document or 
folder. 


The notification process periodically scans a database 
and combines all notifications to the same recipient. The 
less often you choose to receive messages, the more 
notifications each message will contain. 


The Subscription feature of a SharePoint team Web site 
isn’t limited to Web Discussion comments that team 
members make using Internet Explorer. On the contrary, 
team members can subscribe for notification of almost 
any change to a team Web site. 


4% Document Subscription Es 
Subscribe to: 

@ File fhttp://127.0.0, 1/Shared Documents/deliverables. htm 

C Folder 


Path equals 


Modified by doesn’t matter 
Notify me 

when: [anything changes ë 
Email options 


Address: [ouyensj@interlacken com 


(e.g. someone@microsoft.com) 


Time: [when a change occurs x 
wl Cancel | 


Figure 35-8. This is the dialog box version of the 
Web page that appears in Figure 35-7. 
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From: admin@interlacken.com Sent; Fri 2/2/01 11:35 AM 
buyensj@interlacken.com 


Subject; Change notification 


The following change(s) happened to the document http://127.0.0.1/Shared Documents/deliverables htm 


Event: Discussion items were inserted or modified in the document. 
By: INTERLACKEN\im 
Time: 2/2/2001 11:33:17 AM 


Click here to stop receiving this notification 


Please contact admin@interlacken.com for further assistance 


Figure 35-9. A SharePoint team Web site sent this 
change notification automatically. 


Troubleshooting 


Subscribers don’t receive SharePoint 
team Web site change notifications 


SharePoint team Web site members who 
subscribe to receive change notifications 
might not receive the expected mail for any 
of the following reasons: 


e Not enough time has 
passed. SharePoint team Web 
sites send notifications at 
intervals even if a team 
member chose to receive them 
“When A Change Occurs.” 
These intervals apply to the 
entire Web server, and are thus 
something an administrator 
must control. The following 
settings are the defaults, but 


your server’s configuration 
might vary: 


e Immediate 
Notifications. 
Every five 
minutes. 


e Daily 
Notifications. 
Midnight. 


e Weekly 
Notifications. 
Sunday midnight. 


e Server settings might be 
incomplete. The server 
administrator must configure 
SharePoint Team Services with 
the name of an SMTP mail 
server and an address that will 
appear in the From and Reply 
To fields of each outgoing 
message. 


e The Web Subscriptions 
feature might be disabled. 
The server administrator can 
turn off the Web Subscriptions 
features at the server level. 
Obviously, this inhibits the 
transmission of notification 


messages. 


Using Discussion Boards 


A SharePoint team Web site discussion board works a lot like an 
Internet newsgroup or a FrontPage Discussion Web. Team 
members can post new messages, respond to existing messages, 
and view messages in their entirety or in condensed lists. 
Whoever administers the team Web site can purge and correct 
messages, alter discussion board settings and defaults, and so 
forth. If security settings permit, team members can initiate and 
control their own discussion boards, and whoever posts a 
message can subsequently revise or delete it. 


Figure 35-11 shows a summary view of a typical discussion 
board. To display this Web page: 


1. Choose Discussion Boards from the menu bar of 
any page in the SharePoint team Web site. This 
displays the Discussion Boards page shown in 
Figure 35-10, which displays the name and 
description of each available discussion board. The 
General Discussion board appears by default as 
part of every new team Web site. You can do the 
following: 


e To create additional boards, click the 
New Discussion Board link. This 
displays a New page that initializes a 
new discussion board. 


e To discuss a specific document on the 
Web, click Discuss A Document. This 
provides an entry point to the Web 
Discussions feature described in the 
section titled “Using Web Discussions” 
earlier in this chapter. 
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Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Discussions Boards 


Use this page to participate in a discussion board by clicking the name of the board. To start a new 
discussion board, click "New Discussion Board" below, 


TD New Discussion Board | E Discuss a Document 


FT] General Discussion 


Use the General Discussion to hold newsgroup- 
style discussions on topics relevant to your team. 


ff Utkin Zone (Mixed 


Figure 35-10. This page provides a selection 
list of SharePoint team Web site discussion 
boards. The single discussion shown appears 
by default in every new team Web site. 


2. To view or modify the contents of an existing 
discussion board, click its icon or title. This displays 
a Discussion Board View page like the one shown in 
Figure 35-11. Figure 35-12 illustrates expanded 
view. 
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Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
General Discussion 


Select a View: Use the General Discussion to hold newsgroup-style discussions on topics relevant to your team. 


a Summary New Discussion | I Filter | Subscribe m Modify settings and columns 
Expanded 


Subject Modified By Modified 

s Excuses Dave Hasn't Heard Otto from Ottawa 1/30/2001 10:23 PM 
s My Ex-Wife... Mary Smith 1/30/2001 10:27 PM 

s Where's A Good Place for Lunch? Jim Buyens 1/30/2001 10:03 PM 
a Where's A Good Place for Lunch? Jim Buyens 2/2/2001 1:28 PM 


= Where's A Good Place for Lunch? ! New Mary Smith 2/2/2001 1:35 PM 
a Pedro's Lube & Tune Otto from Ottawa 1/30/2001 10:21 PM 


Figure 35-11. Click a discussion board name 
or icon in Figure 35-10 to display a list of 
messages like this. 
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Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 
Team Web Site 
General Discussion 


Select a View: Use the General Discussion to hold newsgroup-style discussions on topics relevant to your team. 
Summary 


ÅS New Discussion | Subscribe a Modify settings and columns 
a Expanded — — = 
Excuses Dave Hasn't Heard 1/30/2001 10:23 PM 
Posted by Otto from Ottawa 
pe anyone have a list of excuses Dave hasn't heard? Because Dave is new, I don't know what 

e'll go for. 


My Ex-Wife... 1/30/2001 10:27 PM 
Posted by Mary Smith 


Say your ex-wife won the lottery, became your landlord, and evicted you, 
Where's A Good Place for Lunch? 1/30/2001 10:03 PM 
Posted by Jim Buyens 
Hi! I'm new to the project, having just been reassigned from the RSG (Random Scrap Generation) 
task force, Is there a restaurant in the area that features low-fat cheeseburgers? 
Where's A Good Place for Lunch? 2/2/2001 1:28 PM 
Posted by Jim Buyens 
Dirigible Deli is good for low fat but they don't have cheeseburgers. 


Where's A Good Place for Lunch? ! new 2/2/2001 1:35 PM 
Posted by Mary Smith 
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Figure 35-12. Click the Expanded link in a 
Discussion Board View page (Figure 35-11) to 
display this view of the messages in a 
discussion board. 


Here’s how to use the various links on a Discussion Board View 
page: 


e Select A View. Click any link in this area (at the 
left of the page) to display the discussion in the 
format you want. Summary view, the default, is the 
mode shown in Figure 35-11. To create additional 
views , click the Modify Settings And Columns link 
near the right border of the page. 


e New Discussion. Click this link to initiate 
discussion on a new topic (that is, to create a new 
top-level message). Figure 35-13 shows the Web 
page that supports this function. (Remember, to 
create a new discussion board, click the New 
Discussion Board link in the Discussion Boards list, 
shown in Figure 35-10.) 
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Team Web Site 
General Discussion: New Item 


=E Go back to discussion board 


Subject * [Where's A Good Place for Lunch? 


Tony's Briney Torpedos has low fat pickles. Does that help? = 
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Figure 35-13. This Web page starts a new 
discussion thread. To display it, click any New 
Discussion link. 


Filter. Click this link to limit the displayed 
messages based on criteria you specify. 


e Subscribe. Click this link if you want to receive e- 
mail notification whenever someone changes the 
contents of the discussion board. 


e Modify Settings And Columns. Click this link to 
display a Customization page that modifies the 
name of the discussion board, its description, its 
columns, or its views. The SharePoint team Web 
site keeps all this information in its database, and 
then adds it—on the fly—to any relevant Web 
pages. 


Subject, Modified By, and Modified. Click any of 
these column headings to sort the display on that 
column. 


Subject Titles. Click any entry in the Subject 
column to select and display it. 


Modified By Names. Click any entry in the 
Modified By column to display information about 
that person. 


Click the title of a message in the Discussion Board View page 
(Figure 35-11) to bring up the Display Discussion Article page 


shown in Figure 35-14. The title and body of the current message 
appear under the second menu bar. 
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Posted by Jim Buyens 
Dirigible Deli is good for low fat but they don't have cheeseburgers. 
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Figure 35-14. Click the Subject text of any message to 
display both the message and its position in the thread. 


The menu bar itself contains the following links: 


e Reply. Click this link to create a new message that 
responds to the current one. The new message 
appears beneath the existing one, indented one 
level to the right. Figure 35-13 shows the New 
Discussion page that appears when you click the 
Reply link. 


e Edit Item. Click this link to modify the current 
message. Depending on settings in effect for the 
discussion board, this might be possible only for an 
administrator or the person who originated the 
message. 


e Delete Item. Click this link to delete the current 
message. Again, this might be possible only for an 
administrator or the person who originated the 
message. 


e Go Back To Discussion Board. Click this link to 
back up one screen (usually to the Discussion 
Board View page shown in Figure 35-11). 


Using Lists 


Click the Lists link on the menu bar of any page in a SharePoint 
team Web site to display the Lists page shown in Figure 35-15. 
This is basically a list of all the lists in the current team Web site. 
All five lists itemized in the figure appear by default in any new 
team Web site. 
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Team Web Site 
Lists 


Use this page to go to any list in this Web site. To create a new list, click "New List" below, 


S New List 
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< | Announcements =| Contacts 


Use the Announcements list to post messages on Use the Contacts list for information about people 
the home page of your site, that your team works with. 


| Events >| Links 


Use the Events list to keep informed of upcoming Use the Links list for links to Web pages that your 
meetings, deadlines, and other important events. team members will find interesting or useful. 


x | Tasks 


Use the Tasks list to keep track of work that you 
or your team needs to complete. 
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Figure 35-15. This page identifies the lists in a SharePoint 
team Web site. The lists shown here appear by default in 
every new team Web site. 


Physically, a list is nothing more than a table in a database. Each 
list item is a table row and, as you've probably guessed, each list 
column is a table column. The SharePoint team Web site can 
create new tables (that is, lists), add columns, modify columns, 
and delete columns using Web pages that are part of (and 
integrated with) the team Web site. 


Click the entry for any list in the List page to display a List View 
page like the one shown in Figure 35-16. The links on this page 
work much like those already described for document libraries 
and discussion boards (are you noticing a pattern?), but here’s a 
brief summary: 


e Select A View. Click any link in this area to display 
the list in the format you want. 


e New Item. Click this link to display a page named 
New Item Form that adds a new item to the list. 


e Filter. Click this link to limit the displayed 
messages based on criteria you specify. 


e Export. Click this link to download a Microsoft 
Excel Web Query file that downloads the data in the 
list. Such files have a .igy filename extension that’s 
normally associated with Microsoft Excel. When you 
open such a file, Excel connects to the SharePoint 
team Web site database and downloads the data 
for the list you requested. 


This is a highly useful approach because every time 
you open the Web Query file, Excel connects to the 
database server and downloads a fresh copy of the 
data in the list. This saves you from downloading 
fresh copies of the data manually. If you want to 
save a copy of the data as of some specific point in 
time, copy it from the query region and paste it 
into another spreadsheet. 
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Figure 35-16. Click a list name or icon ina 
List page (Figure 35-15) to display the items in 
the list. 


e Subscribe. Click this link if you want to receive e- 
mail notification whenever someone changes the 
contents of the list. 


e Modify Settings And Columns. Click this link to 
change the properties of the list. This includes the 
name, description, columns, views, and other 
settings. 


The five lists shown in Figure 35-15 all contain different 
combinations of fields and different views. Nevertheless, they’re 


all simple database tables that operate using the same basic 
principles. 


Creating New Libraries, 
Discussions, and Lists 


Click the Create link on any SharePoint team Web 
site menu bar to display the Create Page page 
shown in Figures 35-17 and 35-18. This page has 
the following options: 


e Custom List. This option, the first 
on the page, creates a list with only 
one column: Title. After the list 
exists, of course, you can display it 
and then click Modify Settings And 
Columns to add more columns, 
delete the Title column, or make 
any other changes you want. 


e Import Spreadsheet. This option, 
the last on the page, creates a list 
from data contained ina 
spreadsheet. Each row of 
spreadsheet data becomes one list 
record, and each column of 
spreadsheet data becomes a list 
column. The values in the first row 
will become the column names in 
the list. 


When using this option, the 
SharePoint team Web site doesn’t 
actually upload the spreadsheet as 
a file and then process it on the 
server. Instead, it opens Excel on 
your computer. Excel then opens 
the spreadsheet you specified, 
prompts for a range of cells to 
upload, and then transmits the 
values of those cells. This is much 


more flexible than uploading the 
entire file and converting its 
contents to a list. 


All the other choices are basically variations of 
the Custom List choice, with the exception that 
each of them initializes the new list with a 
different collection of fields and formats. If one of 
these list types is nearly or exactly what you 
want, choose it. Otherwise, it'll probably be 
easier to use the Custom List choice than to 
delete all the extra columns another choice 
provides. 


Creating a New Survey 


Surveys are a particularly interesting type of list. As with all surveys, 
there are four basic steps: 


1. Decide what questions you want to ask. 
2. Design a form people can use to record their answers. 
3. Let the survey population fill out the form. 


4. Analyze the results. 


Although a SharePoint team Web site can’t choose questions for you, it 
does most of the work for the three remaining steps. This section explains 
how to create a survey and, along the way, how to perform a myriad of 
tasks useful for creating other lists as well. Here’s the procedure: 


1. Click the Create link on any SharePoint team Web site menu 
bar. This displays the Create Page page shown in Figures 35- 
17 and 35-18. 


2. Click the Survey link shown in Figure 35-17. This displays 
the New Survey page partially shown in Figure 35-19. 
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Team Web Site 
Create Page 


Use this page to create a new list, document library, discussion board, or survey. Choose from one 
of the pre-defined lists, or create your own custom list. A page that contains a default view of your 
new list, document library, discussion board, or survey will be added to this Web site, 


Custom List 

If none of the pre-defined lists meets your needs, design a custom list by 
specifying your own columns. For example, you might create an inventory list, a 
sign-up sheet, a team roster, and so on. 


Document Library 


a= I] Document libraries are folders that make it easy to share documents with others. 
Each library displays documents in a list that can be filtered or sorted. 


Survey 
Surveys are an effective way to take a poll of tearm members. All you need to do 
is specify the questions and define how users enter their answers, 


Discussion Board 
A discussion board makes it easy for team members to use newsgroup-style 
discussions for topics relevant to your team, 


Links 
4 list of links provides your team with shortcuts to favorite Web pages, 
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Figure 35-17. This Web page has links for creating 
lists, discussion boards, and document libraries of all 
kinds. 
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A discussion board makes it easy for team members to use newsgroup-style 
discussions for topics relevant to your team, 


Links 
A list of links provides your team with shortcuts to favorite Web pages. 


Announcements 
An announcement list makes it easy for team members to post news and 
information for the rest of the team to see. 


Contacts 

4 list of contacts displays information about people that your team works with, 
such as customers, vendors, or participants in an activity, The list includes 
information such as name, address, and telephone number. 


Events 
Team members can use an events list to keep each other informed of upcoming 
meetings, deadlines, and other important events. 


Tasks 

A task list is an easy way to keep track of work that you or your team needs to 
complete. After creating this list, add columns to it that are relevant for the 
particular tasks that your team performs. 


Import Spreadsheet 
Import a list from a spreadsheet. 


Figure 35-18. This is the bottom half of the Web page 
that starts in Figure 35-17. 
3 New - Microsoft Internet Explorer 


| Eie Edt View Favorites Tools Hep || {Back ~ > ~ @ [2] A| GQSearch [Favorites BHistoy | E | 
| Address [Æ] http://127.0.0.1/_layouts/new.htm?ListT emplate=1028ListBaseT ype=4 


New Survey 


Use this page to define the general settings of this survey. You can set the name, description, and 
whether a link to this survey appears on the Quick Launch bar on the home page. You can also 
configure whether users' names will appear in the survey results and whether users can respond to 
the survey more than once, 


Name and Description Name: 


Type a new name as you want it to appear [Status Assessment 


in headings and links throughout the site. 
Type descriptive text that will help site 
visitors use this survey. 


Description: 


Survey to assess and avaluate team = 
attitudes toward the project. 


I 


Navigation a Display this survey on the Quick Launch 
bar? 


Specify whether a link to this survey 
appears in the Quick Launch section, @ yes CNo 


Survey Options Show user names in survey results? 
You can specify options for this survey. @yes CNo 
Allow multiple responses? 


Cyes ©No 


Next | Cancel | 


Figure 35-19. Click the Survey link in a Create Page 
page (Figure 35-17) to display this Web page for 
creating a new survey. 


Fill out the input options as follows: 


e Name. Give the survey a short, descriptive 
name. 


e Description. If you want, enter a few 
sentences that explain the survey and its 
purpose. 


e Display This Survey On The Quick Launch 
Bar? Click Yes if you want all Quick Launch 


areas in the current SharePoint team Web site 
to contain a link to this survey. Otherwise click 
No. Use this feature judiciously; a Quick 
Launch bar containing hundreds of links isn’t 
much of a time saver. 


e Show User Name In Survey Results? Click 
Yes if displays of survey results should include 
then name of each respondent. Click No to 
keep these names private. 


e Allow Multiple Responses? Click Yes if the 
same person can fill out the survey multiple 
times. Click No if each person can submit 
responses only once. 


Click the Next button when you're satisfied with your 
entries. 


3. The next page to appear is the Create New Question page 
shown in Figures 35-20 and 35-21. This Web page 
constructs the first survey question. 


Æ Create New Question - Microsoft Internet Explorer BEE 
| File Edt View Favorites Tools Help 
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| Address E] http://127.0.0.1/_layouts/qstnew.htm?List=u_StatusAssessment 


Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Status Assessment: Add Question 


Use this page to add a question to this survey. 


Question and Type Question: 


Type your question and select the What do you believe is the current 
type of answer. phase of this project? 


The type of answer to this question is: 
© Single line of text 
© Multiple lines of text 
© Number (1, 1.0, 100) 
C Currency ($, ¥, £) 
© Date and Time (11/02/2001 12:15) 
C Lookup (information already on this site) 
@ Choice (menu to choose from) 
C Yes/No (check box) 


Optional settings for your 
question Require a response to this question: 


| | [að Unknown Zone (Mixed 7 


Figure 35-20. This page adds a question to an existing 
survey. This is quite useful because creating a new 
survey creates only one question. 


| File Edit View Favorites Tools Help | 

| Back -> + @ A | QSearch [4 Favorites “BHistoy | G5- Sp Ol ~ |S} 

|| Address [21 hitp.7127.0.0.1/ layouts/astnew him7Listou StatusAssesoment —ssts—~<~*sé‘;*~*i*~*C 
@ Choice (menu to choose from) 
C Yes/No (check box) 


Optional settings for your 
question Require a response to this question: 


Specify detailed options for the type C Yes @ No 
of answer you selected, Show me 
more information 


Type each choice on a separate line: 


Enthusiasm 

Disillusionment 

Panic 

Search for the Guilty zl 


Display choices using: 
© Drop-Down Menu @ Radio Buttons 


Default value: 


Enthusiasm 


| | [a Unknown Zone [Mixed 4 


Figure 35-21. This is the bottom half of the Web page 
that begins in Figure 35-20. 


Here’s how to use the input options provided: 


e Question. Enter the text for the first question 
in the survey. 


e The Type Of Answer To This Question Is. 
Indicate what type of data constitutes the 
survey answer. Table 35-1 summarizes the 
result of each choice. 


Table 35-1. SharePoint team Web site 
Survey Answer Types 


Type of 


Input form 
answer 


Single Line Of Text box 
Text 


Multiple Lines Text area box 
Of Text 


Number (1, Text box 


1.0, 100) 

Currency ($, Text box 

Y, £) 

Date And Combination of text box 
Time (for date) and drop-down 


(11/02/2001 lists (for hour and 
12:15) minute) 


Type of 


eae Input form 
Lookup Drop-down list 
(Information 

Already On 

This Site) 


Choice (Menu Drop-down list or option 


To Choose buttons 
From) 
Yes/No Check box 


(Check Box) 


The Lookup choice warrants a bit of additional explanation. 
This choice populates a drop-down list with all values that 
occur in a given list and column within the SharePoint team 
Web site. For example, this could include all Full Name 
values in the User Information list, all Titles in the Shared 
Documents library, all E-Mail Addresses in the Contacts list, 
and so forth. To configure a Lookup choice, you specify first 
the name of the list you want and then the column. 


4. The bottom half of the Edit Question page changes 
depending on the type of answer you specify. Figure 35-21 
shows the format that appears if you choose Choice (Menu 
To Choose From). Enter each option as follows: 


e Require A Response To This Question. 
Click Yes if the survey respondent must 
answer the question before proceeding. Click 
No if answering the question is optional. 


e Type Each Choice On A Separate Line. 
Enter the list of choices. Separate choices by 
entering a carriage return. 


e Display Choices Using. Select either Drop- 
Down Menu or Radio Buttons depending on 
how you want respondents to view the 
choices. 


e Default Value. Enter the name of the choice 
that will be selected when the respondent first 
displays the Web page that contains this 
question. 


Click OK to finish creating the survey question. 


5. The Customization page partially shown in Figure 35-22 is 
the next page to appear. 


Æ} Customization - Microsoft Internet Explorer BEES 


II File Edit View Favorites Tools Help 


|| Address 4] http://127.0.0.1/_layouts/SurvE dit htm?List=u_StatusAssessment z] @Go 
Team Web Site 
Customize Status Assessment 


Use this page to change the design of the survey, such as its name, security settings, and questions. 
Go back to "Status Assessment" 
General Settings 


% General settings of this survey include its name and description. Current general 
settings of this survey: 


Status Assessment 


http://127,0.0.1/Lists/Status Assessment/overview.htm 


Yes 


a Delete this survey 


Questions 


=| G] Questions currently in this survey: 


project? 


D Add a question 


a Change the order of the questions 


Figure 35-22. This page modifies the overall properties 
of a survey. 


It provides the following links: 


e Change General Settings. Displays a 
Change General Settings page very similar to 
the one shown in Figure 35-19. This provides 
a way to update these settings without 
recreating the survey. 


e Delete This Survey. Removes the survey 
forms, links, and data from the SharePoint 
team Web site. 


e Question (Click To Edit). Click the text of 
any question listed under this heading to 
change the text or format of that question, or 
to delete the question completely. 


e Add A Question. Click this link to add the 
second, third, and all subsequent questions in 
the survey. Basically, you must click this link 
and then repeat steps 3 and 4 once for each 
question. 


e Change The Order Of The Questions. Click 
this link to display a list of current questions 
and question numbers. The question numbers 
appear in drop-down lists that you can 
manipulate to put the questions in any order. 


Figure 35-23 shows how the Status Assessment survey appears to a 
survey respondent. This is a custom survey created by using the 
procedure just described, and not a standard element of every new 
SharePoint team Web site. 


3 New Survey Response - Microsoft Internet Explorer 


| Fie Edit View Favorites Tools Help 
| Address Fal tus%20Assessment/NewForm.htm?S ourceshttp%3a%2%2H 27%2e0%2e0%2e1 Z2fLists%2fS tatus% 2520Assessment%2foverview%2ehtm ¥ @Go 


Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Status Assessment: New Item 


Wi Save and Close | Go back to survey 


Wh you believe is the curent phase of this @ Enthusiasm 
© Disillusionment 
© Panic 
© Search For the Guilty 
C Punishment of the Innocent 


© Praise and Honor for Non- 
Participants 


jo you think the project will ever end? Vv 


(None) 


(None) 
Da ; x BUILTIN\Administrators 
* indicates a required field im Buyens 


Mary Smith 
Otto from Ottawa A 


Figure 35-23. This is how the survey looks to a survey respondent. 
The survey itself is just a list with a column for recording each 


answer. 
Here’s how to display this page: 


1. Click the Lists link on the menu bar of any page ina 
SharePoint team Web site. 


2. Click the survey’s list title or its preceding icon. This displays 
the Overview page shown in Figure 35-24. 


3 Overview - Microsoft Internet Explorer 


| Ele Edt View Favorites Tools Help 
| Address [Æ] http://127.0.0.1/Lists/Status%20Assessment/overview.htm 


Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Z Team Web Site 
Status Assessment 


Select a View: Respond to this survey | BẸ Export Results to a Spreadsheet | Subscribe © Modify survey and questions 


a Overview 
re SA Status Assessment 
Graphical 
Summary 
1/30/2001 10:42:07 PM 


All Responses 
poe onses; 3 


© Show a graphical summary of responses 


@ Show all responses 


Figure 35-24. The entry point for analyzing survey 
results is this Web page. 


The Overview page contains the following choices: 


e Respond To This Survey. Click this link to 
answer all the survey questions. 


e Export Results To A Spreadsheet. Click this 
link to download an Excel Web Query (.iqy) file 
that downloads the survey data into a 
spreadsheet. 


For more information about 
downloading list data, refer to 
“Using Lists” earlier in this chapter. 


e Subscribe. Click this link if you want to 
receive e-mail notification whenever someone 
completes or changes the survey. 


e Modify Survey And Questions. Click this 
link to change the properties of the survey. 
This includes the name, description, questions, 
and other settings. In short, it displays the 
Customization page partially shown in Figure 
35-22. 


e Show A Graphical Summary Of Questions. 
Click this link to display a graphical summary 
of survey responses like the one shown in 
Figure 35-25. 


e Show All Responses. Click this link to 
display a textual listing of survey responses 
like the one shown in Figure 35-26. 


A Summary - Microsoft Internet Explorer BEIEI 
| File Edt View Favorites Tools Help | 
| Address @] http://127.0.0.1/Lists/Status%204ssessment/summary.htm v| @Go | 


i) Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 
Team Web Site 
Status Assessment 


Select a View: ŽS Respond to this survey | GY Export Results to a Spreadsheet | Subscribe | Modify survey and questions 


verview 
1. What do you believe is the curent phase of this project? 


Enthusiasm 
Disillusionment 

0 

Panic 

Search For the Guilty 
0% 


Punishment of the Innocent 
Praise and Honor for Non-Participants 
0% 


3 total responses 
2. Do you think the project will ever end? 


1. Yes 
EAT ero 


4 
[E] Done I 


lð Intemet 7 
Figure 35-25. The graphical summary of 
survey responses looks like this. 


Creating other kinds of lists follows basically the same pattern as creating 
a survey. This is because, in fact, a survey is nothing but a list where each 


row is a survey response and each column an answer. 


a All Survey Responses - Microsoft Internet Explorer 
| File Edt View Favorites Tools Help 
| Address J] http://127.0.0.1 /Lists/Status%204Assessment/alltems. htm 


Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Sa Team Web Site 
Status Assessment 


Select a View: HS Respond to this survey | Subscribe © Modify survey and questions 


Overview 
View Response Created By Modified 


View Response #1 Mary Smith 1/30/2001 11:02 PM 


Graphical 
Summary 
a All Responses View Response #2 Otto from Ottawa 1/30/2001 11:03 PM 


View Response #3 Jim Buyens 1/30/2001 11:03 PM 


Figure 35-26. This Web page displays all responses to a survey. 


Administering SharePoint Team Web Site 
Settings 


To modify and configure settings that apply to the entire SharePoint team 
Web site, click the Site Settings link in the menu bar of any team Web site 
page. This displays the Site Settings page shown in Figures 35-27 and 35- 
28. 


On this page are the following: 


e Web Site Settings. The first portion of the Site Settings 
page controls the SharePoint team Web site’s name, 
description, and home page layout. These are the links in 
this portion: 


e Change Site Name And Description. Click 
this link to display a Change Site Name And 
Description page that modifies the name and 
description of the SharePoint team Web site. 


e Customize Home Page Layout. Click this 
link to display a Home Page Layout page that 
determines which lists should appear in the 
center column of the SharePoint team Web 
site’s home page and which should appear in 
the right column. (Recall that the left column 
of the home page contains the Quick Launch 
area, and that the Customization page for 
each list controls whether that list appears in 
the Quick Launch area.) 


In general, only the most popular lists should 
appear on the home page. Team members 
should click Documents, Discussion Boards, or 
Lists to access the rest. 


3 Site Settings - Microsoft Internet Explorer 
Í Eie Edt View Favorites Tools Help 
Back ~ > - Q À A| QSearh Favorites BHistoy | Sx Sp O) ~ a 


| Address g] http: //127.0.0.1/_layouts/settings.htm 


i) Home | Documents | Discussion Boards | Lists | Create | Site Settings | Help 


Team Web Site 
Site Settings 
Use this page to change the settings of this Web site. 


Web Site Settings 


=o Current name and description of this Web site: 
cl 


Team Web Site 


5.0.2,.2511 


Web Administration 


% The links below take you to administration pages where you can perform tasks such as 
adding users, sending invitations, and creating new subwebs, 


E | | [Ø Internet 


N 


Figure 35-27. The Site Settings page 
controls properties that affect an entire 
SharePoint team Web site. 


3 Site Settings - Microsoft Internet Explorer 


ll File Edit View Favorites Tools Help e] 


ll Back ~ > - @ A A| GSearch G Favorites CBHistoy | G- SO ~ |S 


User Information 


Eg site and change your own information. 


Modify Site Content 


l| | Address ja http://127.0.0.1/_layouts/settings.htm z] P Go | 


so The links below take you to pages where you can view information about users of this Web 


the "Customize" links below. 


Shared Documents" 
Status Assessment" 


Customize "Tasks" 


B Create new content 


To change the design of a list, document library, discussion board, or survey, click one of 


2] gzj 


Figure 35-28. This is the bottom half of 
the Site Settings page that appears in 
Figure 35-27. 


e Web Administration. This portion of the Site Settings page 


contains links that add or remove users, create subwebs, 
and jump to overall site administration. Here are the links: 


e Manage Users. Click this link to display the 
Web page that adds, removes, or changes the 
roles of users who have access to one or more 
Webs on the current server. 


If a SharePoint team Web site has no 
designated users, the Manage Users link and 
the Send An Invitation link described next 
won't appear. Instead, a Change Permissions 
link appears. Use the Change Permissions link 
to add one or more users. The Manage Users 
and Send An Invitation links will then appear. 


For more information about 
managing user access to 
FrontPage-based Webs, refer to 
“Managing SharePoint Team 
Services Users.” 


e Send An Invitation. Click this link to run a 
wizard that gives team members access to the 
SharePoint team Web site and sends them e- 
mail. The e-mail describes the team Web site 
and invites them to participate. 


e Create A Subweb. Click this link to create a 
subweb within the SharePoint team Web site. 


e Go To Site Administration. Click this link to 
display the Administration page for the 
SharePoint team Web site. 


For more information about the 
Administration page for FrontPage- 
based Webs, refer to “Administering 
SharePoint Team Services Web 
Settings.” 


e User Information. This portion of the Site Settings page 
provides options to modify your own SharePoint team Web 
site account or, if you’re an administrator, the accounts of 
others. This portion’s links are as follows: 


e Edit My Information. Click this link to 
display a Personal Settings page that shows 
and modifies your own user account 
information. 


A hyperlink titled Edit User Information 
updates your full name, the address to use for 
sending e-mail, and any notes you care to 
provide. 


A hyperlink named Change Password changes 
your password. 


A hyperlink named Manage Personal 
Subscriptions displays all subscriptions you 
currently have in effect, and provides a way to 
delete those you no longer want. 


e View User Information. Click this link to 
display a list of users who have participated in 
or been invited to use the current SharePoint 
team Web site. This page contains hyperlinks 
to add or remove users, to invite new users, 
and to modify the full names, e-mail 
addresses, and notes pertaining to any known 
user. 


e Modify Site Content. This portion of the Site Settings page 
contains links to customize each document library, 
discussion board, and list in the current SharePoint team 
Web site. These links display the same pages that displaying 
the list and clicking Modify Settings And Columns would 
display. 


Creating Custom List Pages 


SharePoint team Web sites provide a wealth of methods for 
modifying their features and appearance. Even so, there might 
be times when you need more flexibility and need it badly 
enough to dive in and work directly with the Web pages. This 
section explains the options and techniques for doing just that. 


The easiest way by far to create a new list is by 
clicking the new List link or the Team Web Site lists 


page. Similarly, the easiest way to modify a list is by 
clicking the Modify settings and columns link on its 
main Web 


The first option, of course, is simply to open the SharePoint team 
Web site, find the team Web site page you want to change, and 
open it in Page view. This works subject to one large restriction: 
team Web site pages submit input to and receive output from a 
number of programs that run on the Web server, and you can’t 
readily change these programs. (They’re not ASP pages, for 
example). Therefore, anything you do that upsets the interface 
between team Web site pages and team Web site server 
programs breaks the site. Chapters 8 and 9 explained the 
structure of a SharePoint team Web site and gave some 
precautions for modifying constituent pages. 


For more information about creating a SharePoint 
team Web site, refer to “Creating a SharePoint Team 
Web Site.” For more information about creating, 
saving, and opening files in a SharePoint team Web 
site, refer to “Saving and Opening Files in SharePoint 
Team Web Sites.” 


Creating and Modifying Library View Pages 


Figure 35-29 shows a Web page that’s a curious mix of 
SharePoint team Web site and custom features. The menu bar 
and data in the center of the page come from the Share 
Documents library of a SharePoint team Web site. Nevertheless, 
the page contains custom formatting and could contain custom 
content as well. What’s more, this is a page you can create 
yourself from scratch. Here’s the procedure: 


1. Start FrontPage and create a new empty Web page. 
2. Choose Web Component from the Insert menu. 


3. When the Insert Web Component dialog box 
appears, choose Document Library View from the 
Component type list at the left, and a View Style 
from the Choose A View Style list at the right. Don’t 
agonize over the View Style; you can easily change 
this later. Click Finish. 


4. When the Choose Document Library box shown at 
the left of Figure 35-30 appears, choose the 
SharePoint team Web site shared document library 
you'd like to display, and then click OK. 


| Ee es SES 
| File Edit View Favorites Tools Help 


| HBack ~ > > @ A A| QSearch Favorites {Histon | E4~ Sp O) a | 


| Address Æ] http://steel.interlacken.com/fp-iso/team/doclist.htm v| @Go 


Microsoft FrontPage Version 2002 Inside Out 
by Jim Buyens 


Shared Documents 


12) New Document | [4 Upload Document | 0 Filter | Subscribe a Modify settings and columns 


File Name Type ||Title Created Date File Size 


CostBene %) Cost Benefit Analysis 11/9/2000 9:10 PM 15 KB 
deliverables ® List of Deliverables 11/9/2000 9:10 PM 5KB 
Project Charter &] Thisis a team collaboration website document 11/9/2000 9:09 PM 20 KB 


Copyright © 2001 Jim Buyens 
Last updated February 7, 2001 


Figure 35-29. You can construct replacement 
Team Web pages that look any way (and 
display any additional content) you want. 


When the Document Library View Properties dialog 
box shown at the right of Figure 35-30 appears, 
review the settings list at the right of each 
vertically arranged button. 


Choose Document Library BE Document Library View Properties BE 


Choose a document library: Library... | Shared Documents 
Fields... | File Name, Title 
Sort... | None 
Filter... | None 
Options... | Basic table 


(& Shared Documents 


Figure 35-30. The dialog box at the left 
selects the document library that a Document 
Library View area will report. The dialog box at 
the right provides entry to all configurable 
aspects of a Document Library View area. 


5. Click Library to choose a different document library. 
This redisplays the Choose Document Library box 
shown at the left of Figure 35-30 so you can choose 
a different library. 


6. Click Fields to change the information displayed for 
each document. The Displayed Fields dialog box 
shown at the left of Figure 35-31 appears. 


Displayed Fields BE 
Choose the fields to display. 


Sort BE 
Available fields: Sort order: 


Created Date Add >> | ZS File Name 
Document Created By ioe 
oe Modified By RET | 

Mave Up 


Modified By 
Title 


Available fields: Displayed Fields: 


Document Created E 
Document Modified E 


Edit (link to edit item <<R | 
File Name (linked to SEE 
File Name (no path) | 
ID Move Up 


Last Modified 
Modified By 


Mave Dow 
>j Change Sort | 
cme | 


s | 


Figure 35-31. The Displayed Fields dialog box 
at the left controls which fields a Document 
Library View area will display. The Sort dialog 
box at the right controls which fields affect the 
item display order. 


Make any necessary changes by using the following 
options: 


e Available Fields. This list contains 
all the fields in the shared document 
library that the current Web page 


doesn’t already display. To display 
any of these fields, either double-click 
it or select it and click Add. 


e Add. Click this button to move any 
selected fields from the Available 
Fields list to the Displayed Fields list. 


e Remove. Click this button to move 
any selected fields from the Displayed 
Fields list to the list Available Fields. 
(Compared to the Add button, this is 
a case of “Second verse, played in 
reverse.”) 


e Move Up. Click this button to move 
any fields selected in the Displayed 
Fields list one position higher in that 
list. 


e Move Down. Click this button to 
move any fields selected in the 
Displayed Fields list one position 
lower in that list. (A clear case of 
“What goes up...”) 


Displayed Fields. This box lists all 
the document library fields that the 
current Web page displays. To 
remove any of these fields, either 
double-click it or select it and click 
Remove. 


After some field names, the Displayed Fields dialog 
box displays a suffix that refers to a link. One of 
these, for example, is Edit (Link To Edit Item). If 
you included such a field on your page (that is, if 
you add it to the Displayed Fields list), a visitor can 
click the displayed value to invoke the 
corresponding action (for example, Edit). 


Unfortunately, linked fields in a 
Document Library View area suffer a 
major restriction: you have no control 
over the linked field’s URL. If you plan to 
use such links, you must put the pages 
where the SharePoint team Web site 
software expects them to be, and that 
means replacing the standard pages 
created when you initialized the team 
Web site, document library, or list. 


Currently there appears to be no 
workaround for this restriction. Try 
searching Microsoft’s knowledge base for 
more information; the URL is 
http://search.microsoft.com. 


7. Click Sort to change the initial order of the listed 
documents. This displays the Sort dialog box shown 
at the right of Figure 35-31, which provides the 
following controls: 


Available Fields. This list contains 
all the fields in the shared document 
library that don’t currently control the 
order of listed records. To use a field 
for sorting, either double-click it or 
select it and click Add. 


Add. Click this button to move any 
selected fields from the Available 
Fields list to the Sort Order list. 


Remove. Click this button to move 
any selected fields from the Sort 
Order list to the Available Fields list. 


Move Up. Click this button to move 
any fields selected in the Sort Order 
list one position higher in that list. 


Move Down. Click this button to 
move any fields selected in the Sort 
Order list one position lower in that 
list. 


Change Sort. Click this button to 
reverse the order of any selected Sort 
Order fields (from ascending to 
descending or vice versa). 


Sort Order. This box lists all the 
document libraries that the current 
Web page displays. To remove any of 
these fields, either double-click it or 
select it and click Remove. 


8. Click Filter to display only selected records from the 
current document library. This displays the Filter 
Criteria dialog box shown in Figure 35-32, which 
lists any criteria already in effect. 


The following options appear in the Filter Criteria 
dialog box: 


e Add. Click this button to define an 
additional filter. When the Add Filter 
dialog box shown in the center of 
Figure 35-32 appears, configure the 
following options: 


e Field Name. Select the 
field whose value you 
want to test. 


e Comparison. Specify 
the operator for the 
comparison: Equals, 
Not Equal, Less Than, 
and so forth. 


e Value. Enter the value 
that forms the basis for 
the comparison. For 
date fields, click Choose 
and then use the Date 
Value dialog box that 
appears at the right of 
Figure 35-32 to specify 
the value you want. 
Current Date means the 
date that the Web 
server processes the 
visitor’s request. 
Specific Date means a 
date you type by hand. 


For non-date fields, 
enter the desired value 
in the text box 
provided. 


e And/Or. Choose And if 
other filters, as well as 
this one, must be true 
for the record to be 
selected. Choose Or if 
this is one of several 
filters, any of which, if 
true, are sufficient to 
select the record. 


e Modify. Click this button to change 
an existing filter. This displays a 
Modify Filter dialog box that looks and 
works very much like the Add Filter 
dialog box just described. This button 
is dimmed unless you've already 
selected a filter. 


e Remove. Click this button to remove 
an existing filter. The button is 
dimmed unless you've already 
selected a filter. 


Filter Criteria KE 


Specify filter criteria to determine which documents are displayed. 


value | Andjor | 


| ‘Comparison { 
1/1/2001 And 


Created Date Greater Than Or Equal 


Modify... | Remove | OK If Cancel | 


Add Filter KE 


Field Name: Created Date X 
Comparison: Equals + | 
Value; f ‘Current Date] Choose... | 


And/Or: [and x] 
zE 
C Current date 
@ Specific date: 


l 1f 1/2001 ~] 
css | 


Figure 35-32. The Filter Criteria dialog box 
lists any current restrictions on the items 
displayed. Click its Add button to display the 
Add Filter dialog box, which adds a new filter to 
the list. If the filter involves a date field, click 
the Choose button to display the Date Value 
dialog box. 


9. Click Options to display the View Options dialog box 
shown in Figure 35-33. This dialog box configures 
the following settings: 


e Choose A Style. Choose a page 
layout design for the document 
library records. 


e Toolbar Type. Choose the type of 
toolbar that will appear above the 


library listing: 


e Full Toolbar. Choose 
this option to display a 
toolbar with five links: 
New Document, Upload 
Document, Filter, 
Subscribe, and Modify 
Settings And Columns. 


e Summary Toolbar. 
Choose this option to 
display a toolbar with 
two links: Shared 
Documents and Add 
New Document. 


e None. Choose this 
option if you don’t want 
to have a toolbar at all. 


The links on these toolbars follow the 
standard conventions that apply to 
SharePoint team Web sites. You can’t, 
for example, change them so they 
jump to custom pages. 


View Options HEI 


Choose a style: 


| 
Description: 


The basic table style shows a column for each Field you choose, and a new 
row for each item in the list. 


Options 


Toolbar type: ate: ~ 


Display all items together and limit the total number to: fio 


@ Display items in sets of this size: 100 


Text to display if no matching items are Found: 


[There are no items to show in this view, 
cm | 


Figure 35-33. Use this dialog 
box to specify the style, toolbar 
type, item limit, and zero-items 
message for a Document Library 
View area. 


e Display All Items Together And 
Limit The Total Number To. Select 
this option if you want the query to 
display all results on a single Web 
page. To avoid runaway queries, you 
should also enter a workable 
maximum record count in the 
accompanying text box. 


Display Items In Sets Of This 
Size. Select this option if you want 
the query to display a specific 
number of records on the first Web 
page, and then provide a Next link 
that displays the next group of like 
records. 


Text To Display If No Matching 
Items Are Found. Enter the 
message you want visitors to see if 
the library is empty or fails all 
filtering criteria. (For example, you 
might display “Thanks, you've just 
deleted our last six months’ work.”) 


10. When you’re done adjusting options, click OK on 
the Document Library View Properties dialog box 
(the right side of Figure 35-30). 


At this point your new Web page should display a recognizable 
SharePoint team Web site document list, albeit crudely 
formatted. Figure 35-34 provides an example. You can apply any 
formatting or add any additional content you want. 
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Figure 35-34. By default, creating a new Document Library 
View area provides very little formatting. 


To change any structural aspect of the Document Library View 
area, double-click it or right-click it and choose View Properties 
from the shortcut menu. Both actions display the Document 
Library View Properties dialog box already described. It works the 
same for changing a view area as it does for creating one. 


To perform more radical surgery, right-click the Document Library 
View area and choose Layout Customization View from the 
shortcut menu. This changes the Page view display to the format 
shown in the background of Figure 35-35. The library view area 
in the figure now looks like a table with six rows, but four of 
them are comments and two are very special. (If you chose a 
different layout style, your row numbers might differ, but the 
concepts are the same.) 


After you’ve switched a Document Library View area 
to Layout Customization View, you can change it back 
by right-clicking the area and choosing Live Data View 
from the shortcut menu. When you do so, however, 


FrontPage discards any changes you made while in 
Customization view. This is the price for making 
changes in a more flexible way than Live Data View 
can accommodate. Think carefully before changing 
back to Live Data View. 
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Figure 35-35. The List Field component displays the name 
or current value of any field in a document library or list. 


In the library view area: 


e The comment rows are 1, 3, 5, and 6. 


e Row 2 contains the column headings. This row 
appears only once whenever a visitor displays a 
page that contains it. 


e Row 4 contains a template for record values. The 
SharePoint team Web site software duplicates this 
row once for every record it displays from the given 
document library. 


By default, each cell in rows 2 and 4 contains a special 
component called a List Field. These components work a lot like 
Confirmation Field components in a Confirmation form, or 
Column Value components in a Database Results region: that is, 
they’re placeholders that the SharePoint team Web site software 
replaces with actual values when a Web visitor requests the 
page. You can use List Field components to display any document 
library field names or field values you want. 


Double-clicking an existing List Field component displays the List 
Field Properties dialog box shown in the foreground of Figure 35- 
35. Right-clicking the component and choosing either List Field or 
List Field Properties accomplishes the same thing. Use the 
following fields to modify a List Field component: 


Field To Display. Select the document library field 
that the List Field component should display. 


Display Options. Select Show The Field Name to 
display the name of the field. This is the usual 
setting for List Field components used in the 
heading area of the List View area. 


Select Show The Field Data to display the contents 
of the field. This is the usual setting for List Field 
components used in the repeating area of the List 
View area. 


To add a List Field component to an existing List 
View area, set the insertion point where you want it 
to appear, choose Form from the Insert menu, and 
then choose List Field. 


Creating and Modifying List View Pages 


If you can create and modify Library View pages, you can create 
and modify List View pages. The procedures are nearly identical. 
To get started: 


1. Start FrontPage and create a new empty Web page. 
2. Choose Web Component from the Insert menu. 


3. When the Insert Web Component dialog box 
appears, choose List View from the Component 
Type list at the left, and a View Style from the 
Choose A View Style list at the right. Don’t agonize 
over the View Style; you can easily change this 
later. Click Finish. 


Did you catch the difference? In step 3, you choose List View 
rather than Document Library View from the Component Type 
list. That’s it. Virtually everything that pertains to document 
libraries pertains to lists as well. This is just what you should 
expect, because a Document Library View doesn’t actually display 
the documents in a library; it displays information from the 
SharePoint team Web site list that describes the documents. 


There are a few other differences, such as the fact that 
SharePoint team Web site toolbars for document libraries and 
ordinary lists are slightly different. Keep an eye out for these and 
you shouldn’t have any problems. 


Creating and Modifying List Forms 


SharePoint team Web sites use a specialized Web component to 
create three of their most common forms. You can insert this 
component, and thus initialize such a form, by following this 
procedure: 


1. Start FrontPage and create a new empty Web page. 


2. Choose Form from the Insert menu, and then 
choose List Form. This displays the List Or 
Document Library Form dialog box shown in the 
foreground of Figure 35-36. 


3. Set the options in the List Or Document Library 
Form dialog box as follows: 


e List Or Document Library To Use 
For Form. Select the list or 
document library you want the form 
to update. 


e New Item Form (Used To Add 
New Items To The List). Select this 
option to create a form that adds new 
items to the list or document library. 


e Edit Item Form (Used To Edit 
Existing List Items). Select this 
option to create a form that modifies 
existing items in the list or document 
library. 


Display Item Form (Used To View 
List Items). Select this option to 
create a form that displays items in 
the list or document library. 


e Show Standard Toolbar. Select this 
box to display the standard 
SharePoint team Web site toolbar for 
the form type. 


4. Click OK to create the form. 


As with Document Library View and List View components, Page 
view should now display a crudely formatted but recognizable 
SharePoint team Web site form. You can add whatever formatting 
and content you want, but there isn’t much you can do to the 
form itself except double-clicking it to redisplay the List Or 
Document Library Form dialog box. 
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Figure 35-36. This dialog box controls the properties of a 
SharePoint team Web site form page. 


Again, as with Document Library View and List View components, 
you have very little flexibility regarding the location of pages that 
contain SharePoint team Web site forms. Specifically, you must 
locate forms that pertain to lists as follows: 


Form Type Location relative to start of Web 


New item form /Lists/<list-name>/NewForm.htm 
Edit item form /Lists/<list-name>/EditForm.htm 


Display item form /Lists/<list-name>/DisplayItem.htm 


Here are the locations for forms that pertain to shared document 
libraries: 


Form Type Location relative to start of Web 


New item form /<\library-name>/Forms/NewForm.htm 
Edit item form /<library-name>/Forms /EditForm.htm 


Display item /<\library-name>/Forms 
form /DisplayItem.htm 


These, of course, are the locations of the forms that appear 
automatically when you create a new document library or list. 
You can create pages from scratch and overlay the default ones, 
but in most cases it’ll be easier (and safer) to just open the 
default pages and modify them. That’s why Figure 35-36 shows a 
default list form open in the background. 


In Summary... 


This chapter explained how team members can 
use the features of a SharePoint team Web site to 
share documents and coordinate their activities. 
It also explained how to administer such a site, 
and how to create custom pages that perform 
standard functions. 


The next chapter explains some terms and 
concepts that pertain to the Internet in general 
and Web servers in particular. This is background 
material that, if you had need of it, you’ve 
probably skipped ahead and read already. 
Nevertheless it has to go somewhere, and it 
might as well be here. 


Microsoft Visio Inside Out 


Chapter 1 


Getting Started with Visio 


Microsoft Visio Standard and Microsoft Visio 
Professional 2002 provide a broad range of 
diagramming solutions that help people visualize 
and communicate ideas, information, and 
systems. You don’t need to be a professional 
illustrator or drafter to get professional results 
with Visio. Whether you need a simple flowchart 
or a multiple-page, highly detailed technical 
drawing, you can get up to speed quickly by 
dragging and dropping predefined shapes. Visio 
includes thousands of SmartShapes symbols that 
allow you to easily assemble business diagrams, 
technical drawings, and information technology 
models. Automatic layout and alignment tools 
provide design assistance that ensures 
professional results. 


As a member of the Microsoft Office XP family of 
applications, Visio is designed to complement 
Excel, Word, and PowerPoint. Visio diagrams 
stand on their own or increase the impact of your 
Office documents. This chapter introduces key 
concepts and the different versions of Visio, lists 
new features, and helps you get started working 
efficiently with this powerful application. 


What Is Visio? 


Some people might think that only artists can—or need 
to—draw. Visio can help you toss that belief out the 
door. Visio is a business and technical drawing and 
diagramming program that anyone can use to 
communicate concepts, procedures, product 
information, specifications, and more. Most of us 
respond to visual images on the Web and in the reports 
and e-mail we see every day, even when the 
accompanying text doesn’t grab our attention. Images 
such as charts, tables, process flows, floor plans, Venn 
diagrams, and so on use text and symbols to convey 
information at a glance. You could call this type of image 
an information graphic, and a good one can clarify an 
idea and help you to understand even complex concepts 
more quickly. Visio is designed to help you convey 
information visually—without requiring that you know 
how to draw. 


Visio does this by giving you so/utions to your 
diagramming needs: ready-to-use templates that set up 
a page appropriately and open stencils that contain 
predrawn shapes. For example, Visio includes several 
flowcharting solutions as Figure 1-1 shows. If you start 
with the Basic Flowchart template, Visio displays a new, 
blank drawing page and opens several stencils that 
contain the shapes you need to create a flowchart. You 
drag a shape from the stencil onto the page, which has 
a grid that helps you align your diagram. You might 
have heard this process referred to as “drag and drop. 
That is the fundamental idea behind everything you do 
in Visio. Perhaps even more important is the idea of 
connecting shapes. When you drag additional shapes 
onto the page to create a diagram such as a flowchart, 
special lines called connectors connect the shapes and 
stay attached when you move shapes around. By 
arranging and connecting shapes on the page, you can 
rapidly assemble a diagram that you can drop into 
another document, such as a report or presentation 
slide; save as a Web page; or print. 
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Figure 1-1. Visio provides you with diagramming 
tools that are specific to the type of drawing you 
choose to create. 


When you talk about dragging shapes, it sounds pretty 
simple. However, this simplicity is deceptive. The built-in 
solutions you'll find in Visio range from straightforward 
block diagrams to complex relational data models. The 
advantage to you is that no matter what type of 
information you want to present visually, Visio has a way 
of getting it done. 
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The Visio team has conducted much usability 
research in past years that indicates a 
consistent theme: Visio often overwhelms 
new users with the number of new terms 
they have to learn. Even if you're very 
comfortable with other Microsoft Office 
applications, you can expect to wrestle a bit 
with Visio terminology at first. Part of the 
difficulty is that the term template is often 
used interchangeably with drawing type and 
solutions in different documents and on the 
Web site. Moreover, the part of the Visio 
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screen where stencils appear is labeled 
Shapes, and shapes themselves are 
sometimes called SmartShapes symbols, 
masters, or master shapes. If you're 
confused, you're not alone—but don’t worry. 
As you use Visio, you'll pick up the lingo you 
need to know. This book tries to use the 
terms templates, stencils, shapes, and 
master shapes consistently. 


Two Versions: Visio Standard and Visio 
Professional 


Visio comes in two flavors: Visio Standard 2002 and 
Visio Professional 2002. The two versions differ in their 
intended audience, which is reflected in the number and 
type of templates and shapes they include. Visio 
Standard is intended for business professionals who 
need to communicate visually about their organization’s 
people, projects, and processes. The following visual 
solutions are included: 


Block Diagram. Includes the Basic, 
Block, and Block with Perspective 
templates. These are useful for showing all 
types of relationships and hierarchies and 
provide the basic arsenal of information 
graphics tools. 


Flowchart. Includes templates for 
creating audit diagrams, basic flowcharts, 
cause and effect diagrams, cross- 
functional flowcharts, mind mapping 
diagrams, total quality management 
(TQM) charts, and workflow diagrams. 


Form and Chart. Includes templates for 
designing business forms; creating quick 
pie, line, and bar charts and graphs; and 
creating marketing diagrams. 


Office Layout. Provides a quick way to 
design accurate, to-scale office and 
furniture layouts. 


Map. Includes templates for creating 
simple street maps and attractive 3-D 
maps. 


Network. Includes shapes designed to 
resemble common network topology and 
devices. Useful for planning and 
documenting small to medium-sized 
networks. 


e Organization Chart. Includes intelligent 
shapes that “know” their position in an 
organization, so that reporting structures 
stay in place. You can even use the 
Organization Chart Wizard to automatically 
build a chart from a spreadsheet or 
database without having to draw a thing. 


e Project Schedule. Includes templates for 
creating PERT charts, Gantt charts, 
timelines, and calendars, so you can keep 
your projects on track. 


Visio Professional is intended for technical professionals 
—IT personnel, database and software programmers, 
and engineers—and includes many industry-specific 
solutions. If you have Visio Professional, you have all the 
templates and shapes that are included with Visio 
Standard as well as the following solutions geared 
specifically for the technical audience: 


e newfeature! Building Plan. Includes 
templates for creating plan-view drawings 
of corporate offices and industrial 
manufacturing facilities. Designed for 
space planners and building engineers, 
this solution lets you create floor plans, 
home plans, plant layouts, reflected ceiling 
plans, site plans, and the building services 
schematics that support them. 


e Database. Includes templates for 
communicating database designs using 
multiple notations and is intended for 
database professionals. With the Database 
Model Diagram template, you can even 
reverse engineer and get support for 
leading client/server and desktop 
databases. 


e newfeature! Electrical Engineering. 
Includes a variety of templates used by 
electrical engineers for creating electrical 


and electronic schematics, wiring 
diagrams, and logic diagrams. 


e newfeature! Mechanical Engineering. 
Includes templates for diagramming fluid 
power control systems and hydraulic or 
pneumatic circuits as well as part and 
assembly drawings. 


e Network. Includes further templates for 
creating high-level, logical diagrams and 
for designing local area networks, wide 
area networks, wiring closets, server 
rooms, and telecommunications 
structures. In addition, you can create 
diagrams of Microsoft Active Directory, 
Novell Directory Services (NDS), and other 
LDAP-based directory structures. 


ə newfeature! Process Engineering. 
Includes templates for assembling detailed 
piping and instrumentation diagrams 
(P&IDs) and process flow diagrams (PFDs) 
used by many chemical and industrial 
engineers. 


e Software. Includes templates for major 
object-oriented software notations, 
including the full Unified Modeling 
Language (UML) 1.2 notation. In addition, 
you can diagram data flows, Windows user 
interfaces, COM and OLE objects, and 
more. 


e Web Diagram. Includes templates for 
automatically mapping Web sites and 
conceptual shapes for planning new 
designs. 


With everything from block diagrams to UML software 
models, Visio satisfies a wide range of diagramming 
needs for a diverse audience. This book covers both 
products, which means that some chapters won’t apply 
to you if you have Visio Standard. You'll see a note when 


the information in a chapter applies to Visio Professional 
users only. 


Microsoft Office Diagram Gallery vs. 
Visio 

The Microsoft Office Drawing Toolbar and 
Diagram Gallery deliver straightforward 
drawing tools right in Microsoft Office XP 
applications such as Excel, Word, and 
PowerPoint. You can use these tools to create 
simple drawings and sketches in your Office 
documents, so why fire up Visio at all? It’s a 
question of scale. For that quick, two-step 
process chart, use the tools in Microsoft 
Office. For anything more complex, it’s 
probably more efficient to use Visio, a 
dedicated drawing application—and you can 
more easily reuse the results. 


Drag-and-Drop Diagramming with Shapes 


If you’re new to Visio, you may think shapes look a lot 
like clip art. In fact, shapes have built-in intelligence— 
their “smarts”—that makes them work in uniquely 
appropriate ways. For example, you can use auto- 
routing lines to connect process shapes in a flowchart. 
When you move a process shape, all the lines stay 
connected and reroute around other shapes as 
necessary, as Figure 1-2 shows. What a huge time 
savings that represents! The truth about shapes is that 
you shouldn’t notice how smart they are, because they 
just work the way you expect them to. 


Shapes are smart in other ways, as well. For example, 
door shapes in an office layout can swing in or out by 
using a single command; valve shapes can rotate into 
place automatically on a pipe; milestone shapes can 
shift position on a timeline as you adjust dates. And 
these are just a few examples. The type of drawing you 
create determines the type of shape smarts you'll see. 
On one hand, this means that Visio can seem 
inconsistent. Techniques that work with flowchart shapes 
may not apply to organization chart shapes. On the 
other hand, a template and the shapes it provides are 
designed to make it easy for you to create a specific 
type of drawing. Visio is not a fixed menu; it’s more like 
a buffet table with many options for combining great 
ingredients. 
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Figure 1-2. When you drag a shape that’s 
connected to other shapes, Visio’s built-in 
“intelligence” takes care of the connections for you 


and reroutes lines automatically. 


Diagramming in Visio Standard vs. Modeling 
in Visio Professional 


Is Visio the ideal tool for busy business users who want 
to assemble great-looking graphics in no time? Yes. Is 
Visio the ideal tool for modeling real-world systems and 
tracking detailed component specifications? Yes. Are we 
talking about the same product? Yes! It’s a matter of 
perspective. The diagrams you can create with Visio 
Standard tend to be conceptual diagrams—shapes that 
show connections and relationships, as in flowcharts and 
timelines. Visio Professional includes more modeling 
capability. Shapes represent real-world objects with 
attributes, such as 10-foot walls that enclose office 
number 4N171, which is occupied by Steve Albouca, 
whose title is vice president. 


Why would you need to understand the difference 
between diagramming and modeling? If you only ever 
use Visio to create one type of diagram, it doesn’t 
matter and you can ignore this section. However, if you 
use several Visio templates, you will probably discover 
that you need different methods for working with 
different types of diagrams, and this can make Visio 
seem hard to use. Despite the “drag-drop-done” 
philosophy, which says that you just click shapes into 
place and Visio practically draws for you, some Visio 
templates do not work that way. If you know this up 
front, maybe you won’t be quite so frustrated when you 
can’t seem to get a shape to look or work the way you 
want. 


One of the primary goals of this book is to help you 
work successfully in any Visio diagram type, regardless 
of a solution’s idiosyncrasies. It can help to think of each 
different diagram type or solution as a separate 
application with unique rules. 


What’s New in This Release 


You won't find many new shapes in Visio 2002, 
although there are a few. The real difference with 
this release is in a more polished look up front 
and more refined engineering behind the scenes. 
It all works—this is a better-tested product than 
Visio 2000, and it shows in improved 
performance and fewer bugs. In addition, 
because the Visio development team is now part 
of Microsoft, they had access to tools used by the 
Microsoft Office XP team, which means that Visio 
integrates better than ever with Office products. 
Visio 2002 includes the following new shapes and 
templates: 


e 3-D directional maps 
e Curved wall shapes for floor plans 
e Additional network shapes 


e Updated Windows user interface 
shapes (Visio Professional only) 


e Enterprise Application template 
(Visio Professional only) 


The following new features enhance the way you 
work in Visio: 


e Better Web pages from Visio 
diagrams. The improved Save As 
Web Page command delivers crisper 
HTML and superior GIF and JPEG 
graphics. Improved hyperlinks add 
navigation to your diagrams, and 
now you can even add multiple 
hyperlinks to one shape. When you 


save your diagram as a Web page, 
the hyperlinks are positioned more 
accurately. A new HTML custom 
property frame saves a diagram’s 
custom properties, too. Visio also 
exposes its Web functionality 
through its API so that developers 
can save multiple Visio files as 
HTML in a batch process. 


New photo editing tools. You can 
refine imported bitmaps in Visio 
with tools for adjusting contrast and 
brightness. You can also directly 
import pictures from digital 
cameras. 


Smoother graphics and text. 
New support for smooth fonts 
makes on-screen text easier to 
read in Visio, thanks to Microsoft 
ClearType technology. Visio also 
supports transparent fill colors and 
smoother gradients, so shapes look 
better. 


Better data storing and 
reporting capabilities. Improved 
support for defining the custom 
properties stored with shapes 
makes it easier for you to 
customize and store shape 
specifications, asset information, 
and other data. Then you can use 
the new Report tool to define 
reports based on shape properties. 
When you generate your report, 
you can output it as a Visio shape, 


an Excel document, an HTML file, or 
as XML format. 


Many Visio solutions have been 
enhanced as well. For example, the 
Office Layout template in Visio 
Standard and the Building Plan 
solutions in Visio Professional include 
new curved wall shapes and smoother 
performance, and you can generate 


timelines and Gantt charts by 
importing project tasks and milestones 
from Microsoft Project. Other new, 
shape-specific and template-specific 
improvements are mentioned 
throughout this book in the chapters 
about particular solutions. 


Visio includes numerous enhancements across 
the board to make the work environment more 
like other Office XP products, including the 
following new tools: 


e AutoCorrect (IntelliSense). You 
can insert, correct, and format text 
as you type, just as in Word. 


e Auto save and recovery. Like 
Word and PowerPoint, Visio now 
can save your drawing files 
automatically at specific time 
intervals. If an error occurs, the 
recovered file is opened, giving you 
the option of discarding the file, 
saving it over the original, or saving 
it as a separate file. 


e Answer Wizard Help. You can 
type questions in a “How Do I?” 
field just as you do on the Office XP 


menu bar. The docked Help pane 
tiles alongside your drawing page 
for easy access to answers while 
you work. 


Clip Gallery Live. If you have 
Office XP installed with Visio, you 
can directly access the Office Clip 
Gallery Live from within Visio. 


e Common color palette. Visio 
diagrams look even better when 
added to your Office documents, 
because Visio now uses the same 
color palette as Office. 


e Task panes. Visio works just like 
Office, with easy access to 
important tasks in a single 
integrated view. From the task 
pane, you can perform in-depth 
searches across documents as well 
as open an existing diagram or 
document or create a new one. 


e Personalized (short) menus. 
Adaptable menus bring commonly 
used commands to the top while 
hiding the others. If you pause 
while displaying a menu, Visio 
expands the menu to reveal all 
commands. Commands you use are 
added to the menu, “personalizing” 
it. 


Restore Full Visio Menus 


Use the Tools, Customize command to 
restore menus to their Visio 2000 
appearance. On the Options tab, 


select the Always Show Full Menus 
check box. 


For details about new features in the Visio Setup 
program, see “New Installation Features”. 


What You Won't Find in This Release 


In every version of Visio software since the first 
release, the Visio team has been careful not to 
remove features if at all possible. Command 
names may change or functionality may evolve or 
move within the product, but shapes and 
templates are usually not removed. Until this 
release. Several templates that used to ship with 
Visio Professional are no longer included with the 
product, although you may still be able to get 
them from the http://www.microsoft.com Web 
site. Entire products that you used to be able to 
purchase—Visio Technical and Visio Enterprise— 
are no longer available in that form, but their 
contents can still be found elsewhere. The net 
result is that the Visio product line is easier to 
understand, but if you were partial to Visio’s 
geographic maps, it just became a little tougher 
to create them. 


For details about the templates and 
stencils you will find in this version, 


see Appendix B, “Template and Stencil 
Reference.” 


Templates That Have Moved 


All the templates, shapes, and add-ons that were 
included with Visio 2000 Technical Edition are 
now a part of Visio Professional 2002. Some 
templates that were included with Visio 2000 
Standard Edition are not included with Visio 
Standard 2002. Instead, they have been added to 
Visio Professional. The templates that moved 
from Standard to Professional are Data Flow 


Diagram, IDEFO Diagram, and SDL Diagram from 
the Flowchart solution. 


Other templates that used to be included with 
Visio 2000 are no longer shipped with the 
product, but may be available through the Web. 
Microsoft plans to make the following templates 
available by download: 


e Database templates. Bachman, 
Chen ERD, Martin ERD, and Booch 
OOD. 


e Software templates. Fusion, 
Jacobsen Use Cases, Nassi- 
Schneiderman, Rumbaugh OMT, 
Shlaer-Mellor, SSADM, System 
Structure, and Yourdon And Coad. 


Features Deleted from Visio 


Some tools, wizards, and add-ons that were 
available in Visio 2000 have been removed from 
Visio 2002 or have been replaced by improved 
features. In some cases, Microsoft plans to make 
an add-on or tool available as a download; it’s 
worth visiting the Web site to see what’s 
available. Table 1-1 sorts out what went where. 


Table 1-1. Features No Longer in Visio 


Deleted Status 

Feature 

Custom Replaced by Define Custom 
Properties Properties dialog box 


Editor 


Deleted Status 

Feature 

Chart Shape No longer supported 
Wizard 


Datasheets No longer required by the 
redesigned Process 
Engineering solution 


Internet No longer required by the 
Diagramming redesigned Web Site Map 
Wizard template 

Netlist May be available as a Web 
Generator download 

Network Replaced by improved tools 
Database available in new Visio 
Wizard Network Tools add-on 
Network Replaced by improved tools 
Diagram available in new Visio 
Wizard Network Tools add-on 


Office toolbar Technology rendered 
macros irrelevant by Windows 2000 
enhancements 


Page Layout No longer supported 
Wizard 


Property Replaced by new Report tool 
Reporting 
Wizard 


Deleted 


Feature Status 


Property Line No longer supported 
add-on 


Print May be available as a Web 
ShapeSheet download. 


Shape Replaced by Shape Gallery 
Explorer 


SmartShape May be available as a Web 


Wizard download 

Stencil May be available as a Web 
Report download 

Wizard 


Synchronize No longer supported 
Shapes add- 
on 


Valve Builder May be available as a Web 
download 


Information for Visio Enterprise 
Customers 


The advanced network diagramming and 
documentation solutions formerly found in Visio 
2000 Enterprise Edition are now available in 
Microsoft Visio Network Tools. This add-on to 
Visio Professional also provides online access to 
additional network documentation updates and 
information via the Visio Network Center. 


The database and software modeling technology 
that was previously found in Visio 2000 
Enterprise Edition has been relocated to Microsoft 
Visual Studio.NET Enterprise Edition. So if you 
want to graphically describe database schemas 
and software applications and generate code 
based on models, you can now do so using the 
Application Design Workbench in Visual 
Studio.NET. You will find numerous updated 
features as well, including support for SQL Server 
2000 and Visual Studio.NET programming 
languages. 


Why was Visio Enterprise 
discontinued? This happened for 
several reasons; the primary reason 
was to simplify the Visio product line 
for everyone. Four editions were too 
confusing. The idea with the Visio 
Network Tools add-on is that the IT 
audience who uses Visio Professional 
can obtain new and updated solutions 
on a continual basis from the Visio 
Network Center Web site. In addition, 
customer research indicated that the 
vast majority of Visio users who need 
software and database modeling 
functionality also use Visual Studio, so 


Microsoft thought it made sense to 
integrate these two technologies. 


Information for Visio Technical 
Customers 


Visio Technical is now included in Visio 
Professional. The Visio 2000 Professional and 
Technical editions were combined into a single 
product in response to feedback from Visio 
Technical customers, whose diagramming needs 
span multiple technical disciplines, including both 
IT and facilities management. 


Starting with the Diagram Type You Want 


Many people approach Visio as they would Word or Excel and 
expect a blank page to appear. With Visio, though, you’re better 
off starting with a template. The page may still be blank at first, 
but at least by basing it on a template, the appropriate set of 
shapes will appear. It’s easy to select the template you want, 
because when you start Visio, the Choose Drawing Type pane 
shows you previews of the types of diagrams typically created 
with a particular template, as Figure 1-3 shows. 
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Figure 1-3. When you start Visio, you can preview sample 
diagrams for each template within a category. 


Choose a Drawing Type 


When you're working in Visio, you can display the 
Choose Drawing Type pane without closing and 
reopening the program by clicking File, New, Choose 
Drawing Type. A shortcut to the categories of 
templates is to click File, New, and then click a 
category to display a submenu of templates. 


Starting with a Template 


You can start Visio with a new, blank drawing, which opens only a 
drawing page and no stencils. However, starting with a template 
provides important advantages that help you work more 
efficiently: 


e A template can help you solve formatting and 
design problems in advance. It sets up the 
appropriate size and orientation of the page for the 
type of diagram you want to create. 


e A template opens the stencils that contain the 
shapes you'll need to use. It includes diagram- 
specific styles for formatting the shapes. 


e A template displays rulers and a grid on the 
drawing page and sets them appropriately for the 
type of diagram. Templates with “US Units” in the 
name start a page that displays a ruler with inches; 
otherwise, metric units are used. 


e Some templates add special-purpose menus and 
toolbars. The only way to create certain types of 
diagrams in Visio and take advantage of timesaving 
features is to start with the appropriate template. 


For all these reasons, you’re almost always better off using a 
template. It sets up your working environment for you, so all you 
have to do is add shapes and text. 


To start a diagram with a template: 


1. On the Start menu, click Programs, and then click 
Microsoft Visio. 


2. In the Choose Drawing Type pane, click a drawing 
type under Category. 


Pictures of specific diagram types appear in the 
area under Template. Each picture represents a 
sample diagram created using that template. 


newfeature! When you install Visio, 
you have the option to install metric 
versions of the templates and add-ons. 
If you choose this option, you'll see two 
copies of each template in the Choose 
Drawing Type pane: one labeled “(US 
Units)” and one not. The only difference 
is whether the page is set up for United 


States units (inches) and page size or 
metric units and page size. 


3. Click the picture that represents the diagram type 
you want to create, and then click OK. 


Visio opens a new drawing page. Stencils 
containing shapes appropriate for that diagram 
type appear on the left, as Figure 1-4 shows. 


Visio templates establish other page 
settings that can vary from diagram to 
diagram. For example, some templates 
adjust the way shapes snap into 
position, how they glue to one another, 
whether drawing pages have 
backgrounds, and more. This book 
discusses template-specific settings in 
the chapters that cover different 
diagram types. 
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Figure 1-4. If you start a new diagram based 
on the Basic Flowchart (US Units) template, 
Visio opens a letter-sized drawing page with 
three stencils. 
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Starting in the New Drawing Pane 


The Choose Drawing Type pane is a great way to learn about 
Visio’s offerings, but after you’ve created a few diagrams, you 
may prefer to work in the New Drawing task pane, shown in 
Figure 1-5. Like the list of recently opened files that appears on 
the File menu, the task pane shows you diagrams you've opened, 
templates that you've used recently, and options for starting a 
new diagram based on a template. 
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Figure 1-5. The New Drawing task pane provides shortcuts 
for creating new diagrams and opening existing ones. 


The New Drawing task pane repeats options that are 
available in the Choose Drawing Type pane and from 
the File menu and toolbars, so it may seem 
redundant. If you prefer not to see the New Drawing 
task pane when you start Visio, clear the check box at 
the bottom of the pane labeled Show At Startup. Then 
you can use the File menu to choose a drawing type. 
However, the New Drawing task pane has other uses. 
You can use it to display search options for locating 
files. Click the drop-down arrow on the New Drawing 
task pane’s title bar, and then click Search. 


Touring the Visio Window 


When you first start Visio, you see the menus and 
toolbars across the top, stencils along the side, rulers 
around the page, and the status bar below. In fact, a 
great deal of visual information is presented all at once, 
and all of it has built-in help in the form of ScreenTips. 
Pause your mouse over a toolbar button or a shape, and 
a small box or balloon containing a helpful tip appears, 
as shown in Figure 1-6. 
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Figure 1-6. Many screen elements include tips that 
appear when you pause the mouse over an item. A 
shape’s tip describes a shape’s purpose. 


newfeature! If you've upgraded from a previous 
version of Visio to Visio 2002, one of the biggest 
changes you'll notice are the new, personalized menus, 
which may be disorienting at first. Commands you 
expect to see may not appear. By default, Visio displays 
only the most commonly used commands. To see the 
complete list, point to the double-arrow at the bottom of 
the menu, and after a moment, the full menu appears. 
As you use commands, Visio adds them to the menu. To 
work with the full menus all the time, click Tools, 


Customize. On the Options tab, select the Always Show 
Full Menus check box. 


Another important element of the Visio window is the 
status bar. As you work, changes you make to shapes 
are reflected on the status bar, as Figure 1-7 shows. 


Microsoft Visio - [Facility Move Flowchart:Page-1] -loj xj 


File Edt View Insert Format Tools Shape Window Help Type a question for help Slo f X 
Oreian 6QY | & zen EEA A Mo e 10% =| G), 

Flow Normal ~ Arial I ul Æ E]= A JZ =-=- £ 

Shapes =S= P udistdstudatal : 


Backgrounds 
Borders and Titles 
E Basic Flowchart Shapes 


Selected 
shape 


Position of 
each edge 


Figure 1-7. As you drag a shape on the drawing 
page, the status bar tells you its exact position. 


Customize the Visio Desktop 


Stencils don’t have to be green, pages don’t 
have to be white, and the page background 
(or pasteboard) doesn’t have to be light blue. 
To customize any of these colors, choose 


Tools, Options, and then click the View tab. 
Under Color Settings, you can choose 
different colors for stencils, pages, and other 
objects. Choices you make here change the 
Visio working environment until you choose 
different colors. 


Using the Toolbars for Drawing and 
Formatting 


Many of the most common editing tasks have a shortcut 
on the toolbars that Visio displays by default: Standard 
and Formatting. The Standard toolbar contains many of 
the same buttons that you see in other Microsoft Office 
programs. The Formatting toolbar contains style lists 
and options for formatting the appearance of text, lines, 
and fill—the interior color of shapes. You can use the 
Customize command on the Tools menu to add and 
remove commands from toolbars so that the shortcuts 
you use most are at hand. 


Visio has a toolbar for most every task. To choose the 
toolbars you want to work with, click View, Toolbars. A 
check mark appears beside the toolbars that are 
displayed. Click to display the toolbar you want. If you 
want to turn off the display of a toolbar, click a checked 
toolbar. 


What if you prefer to display toolbars vertically? You can 
dock and float toolbars (and other windows) by dragging 
them where you want. Toolbars are docked when they 
are attached to the side of the window. Usually they’re 
docked along the top, but you can drag them to an edge 
or the bottom of the Visio window. When you float a 
toolbar mid-screen, it displays a title bar as you see in 
Figure 1-8. 


Grab the title bar to drag the toolbar to a new position. 
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Figure 1-8. You can drag a toolbar to a more 
convenient location. To dock it again, drag it back to 
the top, bottom, or side of the Visio window. 


To close any Visio window, right-click its title 
bar, and then click Close. 


Working in the Visio Drawing Page 


The quickest way to fill a blank drawing page is to drag 
shapes onto it. When you start a diagram with a 
template, Visio typically opens several stencils, which 
Visio docks on the left side of the screen. To bring a 
stencil to the top of the stack, click its name. The stencil 
that was on top is minimized, as Figure 1-9 shows. You 
can drag an individual stencil window to a new location 
on the screen, or you can drag the entire Shapes pane 
and dock it in a new location, as Figure 1-10 shows. To 
move the stencil back to its original position, drag the 
Shapes title bar to the left side of the window; Visio 
automatically docks it against the side of the window. 
Rather than drag a stencil, you can right-click the 
Shapes title bar, and then click Float Window. You can 
resize a floating stencil by dragging a side or corner. 
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Click a stencil’s name to bring it to the front. 


Click a minimized stencil to display it. 


Figure 1-9. To display a stencil, click its name on 
the stencil window’s title bar. 
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Figure 1-10. Dock your stencils in a new position 
by dragging the Shapes title bar to the top, side, or 
bottom of the Visio widow. 


Stencils typically display three master shapes across and 
several down, although you can adjust this 
arrangement. The term master shape (or master) is 
used to differentiate between the shape as it appears in 
a stencil and the copy of it that you drag onto your 
page. You can resize the Shapes area to display more or 
fewer master shapes at a time: point to the gray area 
between the Shapes area and the drawing page. The 
pointer becomes a two-headed arrow, indicating that 
you can drag the window’s right border to resize it. 


Troubleshooting 


The Shapes window split the stencil 
windows in two. 


Because Visio can dock a window anywhere 
you drag it, if you inadvertently drag a stencil 
by its name, it can end up below the other 
stencils in a separate pane. To dock the 
stencil with the others, drag it into the middle 
of another stencil. At lower screen resolutions 


(such as 800x600), you may find it easier to 
use a two-step process: Drag the stencil into 
the middle of the drawing page, and then 
release the mouse button so that the stencil 
floats. Then, point to its title bar, drag it back 
into the Shapes window, and drop it in the 
middle of the open stencil. 


Panning and Zooming 


To get a good look at a diagram, you can zoom in close 
or zoom out to see the entire page. When you start a 
new diagram, Visio displays the full page. If you look at 
the Zoom box on the Formatting toolbar, you'll see the 
percentage of zoom. To get a close-up view, click the 
drop-down arrow on the Zoom box, and then choose a 
larger percentage. At 100% view, shapes appear on the 
screen at the same size they appear when printed. 


When you’re working in a large diagram, you can use 
the Pan & Zoom window to see where you are in the big 
picture, as Figure 1-11 shows. To display this window, 
click View, Pan & Zoom Window. Visio docks the window 
alongside the drawing page, but you can move it to a 
location or dock it with the stencils as you can do with 
any window in Visio. In the Pan & Zoom window, a red 
selection box highlights the area currently displayed on 
the drawing page. You can 


e Drag a side or corner of the red box to 
resize it, thereby changing the level of 
zoom on the drawing page. 


e Drag to create a new selection box in the 
Pan & Zoom window, which effectively 
displays a new area of the drawing page 
and zooms in. 
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Figure 1-11. In a large diagram, you can get a 
close-up view of the drawing page by zooming and 
maintain a bird’s-eye view in the Pan & Zoom 
window. 


Use the AutoHide icon (which looks like a 
pushpin) to allow windows to tuck out of 
sight when not in use. When you point to the 
window, it scrolls open again. 


Although the Pan & Zoom window is great for providing 
the big picture, you can also use keyboard shortcuts for 
moving around a drawing page and quickly zooming in 
and out as Table 1-2 shows. 


Table 1-2. Keyboard Shortcuts for Panning and 
Zooming 


Shortcut Effect 
Press Shift+Ctri+left mouse Zooms in 
button 


Press Shift+Ctrl+right mouse Zooms out 
button 


Press Shift+Ctrl+drag with the Zooms in on a 
left mouse button selected area 


Shortcut Effect 


Press Shift+Ctri+drag with the Pans the drawing 
right mouse button page 


In Visio, the zoom level at which you view 
and work on a drawing is independent of the 
scale you set for a drawing page. Whatever 
your drawing scale, you may still need to 


zoom in on a portion of a drawing to move 
shapes exactly or do other precise work. For 
example, you can change the magnification 
from 50% to 200%. 


Viewing Shapes and Pages in the Drawing 
Explorer 


Another useful tool in Visio that provides an alternative 
view of your diagram is the Drawing Explorer, as Figure 
1-12 shows. For some diagram types, it helps to see a 
hierarchical list of shapes and other objects sorted by 
page. The Drawing Explorer provides this view. To 
display it, click View, Drawing Explorer Window. In the 
Drawing Explorer, you can add, delete, and edit items in 
your drawing. You can even use it to locate shapes— 
when you double-click a shape that’s listed in the 
Drawing Explorer, Visio also selects it on the drawing 
page, making it more visible. 


“-Figure 1-12. The Drawing Explorer provides a 
hierarchical view of the shapes, pages, and other 
objects in your diagram. 


You can display the Drawing Explorer for any diagram 
type in Visio. However, some solutions include their own 
explorer windows for organizing information on the 
page. For example, a piping and instrumentation 
diagram includes a Component Explorer that works 
specifically with that solution’s shapes. These special- 
purpose explorer windows are described elsewhere in 
this book. 


Play Sounds in Visio 


If you find audible feedback amusing, you 
can have a sound play when a Visio window, 
such as the Drawing Explorer or Pan & Zoom 
window, opens and closes. To do this, use the 
Sounds And Multimedia (Windows 2000) or 
Sounds (Windows 98) option in the Windows 
Control Panel. In the Sound Events or Events 
box, select Restore Up or Restore Down 
under Windows. Click the drop-down arrow 
on the Name box, select a sound, and then 
click OK. 


Merging Windows 


If you work with drawing types that require the use of 
several view windows, consider taking advantage of a 
great new feature. You can merge windows, such as the 
Drawing Explorer and Pan & Zoom windows, which 
means to tuck one window inside another. Visio displays 
page tabs so that you can switch between windows, as 
Figure 1-13 shows. To merge windows, drag a window 
by its title bar into the center of a docked window. You 
can merge any anchored window, which includes the 
Custom Properties window, Drawing Explorer window, 
Pan & Zoom window, Size & Position window, and some 
template-specific windows. To display any of these 
windows, choose a command from the View menu. 


“-Figure 1-13. To conserve screen real estate, you 
can merge docked windows. 


Dock Windows 


The Shapes window where stencils are stored 
is a handy location for docking other windows 
while you work. For example, point to the 
title bar of a window, such as the Pan & 


Zoom window discussed later. Drag to the 
Shapes window, and then release the mouse. 
Visio arranges the window above or below 
the stencils so that all the tools you work 
with appear together. 


Finding the Information You Need 


As you work in Visio, you can display detailed task 
information in Help and find answers to specific 
questions by using the Answer Wizard. On the menu bar 
you can type a question in the Ask A Question box, as 
Figure 1-14 shows. When you press the Enter key, Visio 
lists possible topics of interest. When you click a topic, 
the Help window opens. You can dock it alongside the 
drawing page or float it on top for greater readability. 
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Figure 1-14. Type your question in the Ask A 
Question box on the menu bar and press Enter to 
start the Answer Wizard. 


Using Online Help 


There are several ways to display the Help window 
without going through the Answer Wizard. You can 


e Choose Help, Microsoft Visio Help, and 
then click the Contents tab to list topics, 
as Figure 1-15 shows. 


e Click the Help button on the Standard 


toolbar. 


e Press the F1 key. 
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# Microsoft Visio Help a] 
What's New 


Learn about the new features in Microsoft Visio 
Professional 2002, 


Microsoft Office Web site 


Visit the Microsoft Office Web site to Find additional . 
products, service, and assistance. 


Getting Started 


Learn the basics you need to create any Microsoft 
Visio drawing, 


Getting Help 


Learn about the different resources available to get 
help while you work, 


Sample Drawings 


View examples of Microsoft Visio drawings. a 


Help Topics 
è Accessibility features in Microsoft Visio 
è Keyboard shortcuts 
è Create a network diagram 
è Create a basic flowchart 
è Create a floor plan 
è Create an organization chart 
è Create a database model diagram 
e Create a Web site diagram 
Web Pages 
Click a link to visit the World Wide Web, 
e Microsoft Press 
zi 


Figure 1-15. You can dock or float the Visio Help 
window with the Auto Tile button. Use the tabs to 
hide or show the contents, Answer Wizard, and 
Index. 


You can locate information on the Index tab by 
searching for a keyword, or you can use the table of 
contents on the Contents tab to scan topics. The Answer 
Wizard tab provides another way to type your question 
and see a list of potentially related topics. 


Template Help 


For each template, you can get help on the most 
efficient way to draw, the best way to use and combine 
shapes, how to perform specific actions using shape and 
page shortcut menus, how and when to access wizards 
that automate tasks, and more. To get help ona 
particular template, press F1, click Contents, and click 
the plus (+) sign next to Drawing Types to expand the 
list. Expand the drawing type you want, and then choose 
the type and name of the template you want. 


If the Contents tab is not visible in the 
Microsoft Visio Help pane, click the Show 
button. 


To display generic information about how to 
use shapes, right-click a shape, and then 
choose Help. 


Dialog Box Help 


Another quick way to find answers when you’re working 
in a particular dialog box is to click its Help button, as 
Figure 1-16 shows. The Help pane opens with context- 
sensitive help—that is, details about each option in the 
dialog box. 
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Figure 1-16. When you choose a command that 
displays a dialog box, you can find out what each 
option does by clicking the Help button. 


Sources of Other Information 


Questions frequently arise while you work. If the Answer 
Wizard doesn’t have the answer, try the following Web 
resources: 


e For the latest Visio shapes, choose Find 
Shape on the File menu. It can search a 
Web-based database of Visio shapes and 
locate what you need. 


e For tips about working efficiently in Visio, 
see the Microsoft Office Web site 
(http://office. microsoft.com). 


e For articles about known issues and 
technical problems, search the Knowledge 
Base (http://search.microsoft.com). 


Information for Network Professionals 


If you’re using Visio Professional, the Visio Network 
Center Web site links you to more information about 
network diagramming tools. Microsoft very much wants 
Visio Professional users to know about the Microsoft 
Visio Enterprise Network Tools add-on, which includes 
shapes and solutions that ease network documentation. 
On the Visio Network Center site, you'll find new tools, 
up-to-date network equipment shapes, and advanced 
network solutions. 


Information for Visio Developers 


Visio is a graphical development platform that includes 
Visual Basic for Applications 6.3 (VBA). For example, 
corporations can build business-integrated applications 
for asset tracking, sales force automation, automated 
scheduling, data visualization, and so on by integrating 
Visio with their systems. Although this book is not 
specifically intended for the developer audience, 
technical information about Visio development tasks 
appears in several places in the product and on the 
Web: 


e Programmers and others who want to 
extend Visio can use the Developer 
Reference. To display it, click Help, 
Developer Reference. The Reference 
includes a complete Automation and 
ShapeSheet reference and information 
about programming with Visio. 


e Developing Microsoft Visio Solutions is the 
complete guide to creating shapes and 
programming with Visio. It’s available from 
Microsoft Press. 


e The Visio Developer Center 
(http://msdn.microsoft.com/visio) 
provides technical articles, code samples, 
and more. 


Troubleshooting 


Shape names are not readable on 
stencils. 


If you display only the shape icons, no text 
labels appear. To turn on your text labels 
again, click the tiny green icon in the upper 
left corner of the stencil’s title bar. In the 
shortcut menu that appears, click Icons And 
Names. 


If the problem is that the text is just too 
small to be read easily, you can try spacing 
the icons apart more or changing the colors 
to improve the contrast. The font size of the 
label itself can’t be changed. Click Tools, 
Options, and then click the View tab. Try 
adjusting the options under Stencil Spacing 
as well as the Stencil Text and Stencil 
Background options under Color Settings. 


Opening Visio Documents 


In Visio, you can open diagrams, stencils, templates, 
and workspace files. Each is represented by a different 
file extension: 


e VSD is a Visio drawing file. 
e VSS is a Visio stencil file. 
e VST is a Visio template file. 


e VSW is a Visio workspace file. 


Most of the time, you use the Open command or toolbar 
button to open a drawing file (.vsd). This section focuses 
on different ways to open diagrams. 


For details about opening and saving Visio 


files in XML format, see “Visio and XML File 
Formats.” 


Opening an Existing Diagram 


Now that Visio includes the same Open dialog box as 
Microsoft Office (see Figure 1-17), with the Places bar of 
shortcuts, you can quickly locate frequently used folders 
and documents. Not only can Visio 2002 open 
documents created in Visio 2000, Visio 2000 can open 
diagrams created in Visio 2002. Visio 2002 can open 
diagrams created in any earlier version of Visio. 
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Figure 1-17. Visio includes the same Open dialog 
box as other Microsoft Office XP programs. 


To open an existing drawing file: 


1. Click the Open button on the Standard 
toolbar to display the Open dialog box. You 
can instead choose File, Open or press 
Ctri+O. 


2. In the Look In list, open the folder that 
contains the file or files you want to open. 
Visio displays the folder’s contents. 


3. Click a file to select it. To open more than 
one drawing file, press Ctrl and then click 
the files you want. 


4. Click Open. 
Opening a Recently Used Diagram 


The quick way to find a diagram you worked on recently 
is to look on the File menu, which lists the most recently 
opened diagrams at the bottom of the menu. Click the 
file name to open the diagram. You can also use the 
New Drawing task pane to locate recently opened files. 
This is a good technique to use when you're starting 
Visio, because the Choose Drawing Type pane appears 
with the New Drawing task pane. If you’re working in 
Visio and want to display it, choose File, New, Choose 
Drawing Type. In the New Drawing task pane, you'll see 
the diagrams you’ve worked on under the Open A 
Drawing heading. If you don’t see the drawing you want 
listed, click More Drawings. Visio displays the Open 
dialog box, so you can locate the file you want. 


Opening Another Visio File Type 


Besides drawing files, Visio can open stencils, templates, 
workspaces, and files in other formats as well. Choose 
File, Open. The key is to use the Files Of Type drop- 
down list that appears at the bottom of the Open dialog 
box. Click the drop-down arrow to display a list of the 
types of files that Visio can open. Select a file format. 
Then, in the Look In list, open the folder that contains 
the file you want to open. Only the files of the type you 
selected are displayed, making it easy to locate and 
select the one you want. Then click Open. 


Opening a Sample File 


Visio includes a sample of every type of drawing and 
diagram that you can create. You can use the sample 
files merely as inspiration, or edit them and save them 
as a new diagram. To browse the list of sample files, 
click File, New, Browse Sample Drawings. Visio displays 
a dialog box that looks just like the Open dialog box, 
except that it displays sample file folders, as Figure 1-18 
shows. Double-click a folder to display the samples for 


that diagram type. For example, double-click Flowchart 
to display the list of sample flowchart diagrams. 
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Figure 1-18. Visio includes a sample drawing file 
for many diagram types. 


By default, Visio stores its sample files in 


C:\Program Files\Microsoft Office\Visio10 
\1033\Samples. 


Opening a New Drawing File Without a 
Template 


You can open a new Visio drawing file that’s not based 
on a template. Visio creates a new diagram with a blank 
drawing page and the default page settings for unscaled 
drawings. It’s like starting with a fresh slate. No stencils 
are opened, but you can add them later. To do this, click 
Ctri+N, or choose File, New, New Drawing. 


Opening Stencils 


When you want to work with more shapes, you can open 
additional stencils. There’s a practical limit to the 
number of stencils you can open, although it depends on 
your screen resolution. The screen can become pretty 
crowded with more than about seven stencils, and it 
gets a little tougher to find the particular shape you 
want. However, you can open as many stencils as you 
need. The easiest way is to use the Open Stencil button 
on the Standard toolbar. It does one of two things: 


e If you click the button itself, the Open 
Stencil dialog box appears. 


e If you click the drop-down arrow on the 
button, a menu of diagram types appears, 
and you can point to a type to display its 
stencils, as Figure 1-19 shows. 


“Figure 1-19. The quickest way to open another 
stencil is with the Open Stencil button on the 
Standard toolbar. 


If you prefer working with menus, choose File, Stencils, 
Open Stencil to display the Open Stencil dialog box, 
where you can locate any stencil, including ones you 
create. 


If you create your own stencils, they will 
appear on Visio’s stencil lists in the Open 
Stencil button and dialog box if you save 
them in the right folder. Visio automatically 
looks for stencil (.vss) files in the C:\Program 
Files\Microsoft Office\Visio10\1033 \Solutions 
folder and its subfolders. 


For details about creating stencils, see 
“Saving Customized Shapes as Masters”. For 
details about opening stencils for editing, see 
“Opening Stencil (.vss) Files”. 


Opening Older Versions of Microsoft Visio 
Files 


You can open files created in any previous version of 
Microsoft Visio Standard, Visio Professional, Visio 
Technical, or Visio Enterprise, including Visio 1, 2, 3, 
4.x, 5.x, or 2000. To do this, choose File, Open, locate 
the drawing file you want to open, and then click Open. 


newfeature! Another great new feature is that any 
drawing file you create with Visio 2002 can be opened 
by other Visio users—regardless of the version of Visio 
they have. They may not be able to see every drawing 
element, however. For example, Visio 5 and earlier does 
not include many of the windows on the View menu, 
such as the Pan & Zoom window. 


If you use Windows Explorer to locate a Visio 
drawing file (.vsd) created in an older version 
of the product, you can double-click the file 


name. Visio 2002 automatically opens with 
the old drawing. 


Troubleshooting 


Opening a Visio drawing file causes a 
message about macros to appear. 


When you open a drawing file that includes a 
VBA macro or other programming code, Visio 
displays a message to warn you about its 
contents, as Figure 1-20 shows. Usually the 
macros are needed to enable interactive 
features of the drawing. This message is a 
new safeguard feature of Visio. If you know 
that the drawing file came from a reputable 
source, click Enable Macros. Visio probably 
requires the macro to run the built-in shape 
intelligence. 


“-Figure 1-20. If you open a Visio 
drawing file that includes a built-in 
macro, as many Visio drawings and 
templates do, this message appears. 


If you frequently open drawing files created 
in older versions of Visio, you may want to 
disable the message. This requires lowering 
your security settings. To do this, click Tools, 
Macros, Security, and then select the Low 
security option. 


Searching for a File to Open 


The task pane includes a powerful search tool that you 
can use to find the files or folders you need without 
leaving your Visio diagram. You can locate text in a 
document and find files or folders, regardless of where 
they are stored—your local hard disk, a network folder, 
or in Microsoft Outlook. Like many Web search engines, 
the task pane includes a Basic Search and an Advanced 
Search. To display the task pane, click View, Task Pane. 
The task pane’s Basic Search options appear as Figure 
1-21 shows. 


Figure 1-21. The task pane (View, Task Pane) 
helps you locate documents based on the text they 
contain. 


Switch Between New Drawing and 
Search Task Pane 


If you display the task pane and the New 


Drawing options appear, click the drop-down 
arrow on the title bar, and then select 

Search. This is a fast way to switch between 
options for searching and opening drawings. 


You can do the following: 


e In the Search Text box, type one or more 
words—text in the document, keywords, 
or other file properties. Use an asterisk 
character (*) to replace groups of 
characters and a question mark (?) to 
replace a single character. Click Search 
Tips for help. 


The more words you type in the Search Text 
box, the more specific your search results will 
be. 


e In the Search In box, tell Visio where to 
look. If you know which folder, you can 
type it in the Search In box. Otherwise, 
click a plus sign (+) to expand the list, and 


click to place a check mark beside the 
folder at the highest level you want to 
search. You can click a check box several 
times—with each click, the selection 
changes. A second click selects a folder 
and all folders within it. A third click 
cancels the top selection but retains the 
folders. A fourth click cancels the entire 
selection, folders and all. 


e In the Results Should Be box, you can 
narrow the scope of the search to locate 
only files of a particular type. 


When you click the Search button, Visio begins the hunt 
and displays the Search Results. To return to the Basic 
Search task pane, click the Modify Button. To refine the 
search criteria, click the Advanced Search option at the 
bottom of the Basic Search pane. 


Opening a File in a Document 
Management System 


If you work with a document management 
system (DMS) that supports the Open 
Document Management API (ODMA) 
standard, you can retrieve and store Visio 
drawings and diagrams with it. If Visio 
detects the presence of an ODMA 1.5- 
compliant system on your computer, you can 
choose File, Open to open your drawing file, 
and the DMS Open dialog box appears 
instead of the Open dialog box. If you use 
another method of opening your file, such as 
pressing Ctrl+O, you won't be able to save to 
the document management system. If the 
DMS Open dialog box does not appear, you 
may need to register Visio with your 
document management system. Refer to the 
documentation that came with your 
document management system. 


Microsoft Word Inside Out 
Chapter 15 


Inserting Objects for 
Multimedia and More 


Text is text is text, but Microsoft Word offers 
much more than simple text management and 
enhancement techniques. Your Word documents 
can literally sing, if you choose to add audio clips 
or voice-overs. They can tell a story, if you 
choose to add a video segment. Your Web pages 
can teach, if you want to add a Microsoft 
PowerPoint presentation to the page you create in 
Word. 


Word makes it easy to both link and embed files 
(which are called objects for this operation). That 
means you can work with files you create in other 
programs, whether they’re Microsoft Office 
applications or not. This chapter gets you up to 
speed on incorporating objects in your 
documents, whether you want to add multimedia 
effects or something more sedate, like a Microsoft 
Excel spreadsheet or a bit of Microsoft Access 
data. 


What kinds of things might you want to link? 
You’ve got all sorts of choices: a sound file, a 
table, a video clip, an equation, data tables, 

images, a presentation file, or another Word 

document. 


Create It Once, Use It Again 


One of the great things about using a multi- 
application suite like Office is the way you can 
reuse what you create. You can open your Excel 
spreadsheet in your sales report. You can attach 
an organization chart to the announcement of the 
new spring promotions. You can add a voice-over 
segment to a section of a speech you're testing 
out with your coworkers. You can use these 
different items in your Word document by 
importing them as objects. 


Although you can copy and paste these items into 
a document, keeping the data current can be a 
problem if your information changes often. If you 
paste a segment of your Excel worksheet in your 
document, and then the original worksheet 
changes, your document will be out of date. To 
resolve this so that you can create these multi- 
dimensional documents and still keep your 
documents current, you can link the objects to 
their original files using object linking and 
embedding (OLE) and Dynamic Data Exchange 
(DDE). 


You can import objects from programs 
outside the Office applications. As long 


as the program supports OLE and 
DDE, you can link and edit that 


1 


s objects. 


Linking vs. Embedding: A 
Comparison 


Linking and embedding a file might seem like the 
same process at first. In fact, they are two very 
different processes, each providing a different 
function: 


e Linking a file establishes a link 
between the original (source) file 
and the file to which you copied the 
data (destination). Whenever you 
change the information in the 
source file, the destination file is 
updated. 


e Embedding a file places an intact 
copy of the source in the 
destination file. Although changing 
the source doesn’t affect the 
destination file, you can edit the 
object in the destination file by 
double-clicking it. You can then edit 
the object without quitting Word. 


Cut to the Chase 


The biggest difference between linking 
and embedding is the file in which the 


data is stored (source or destination) 
and how it’s updated (at the source, 
or originating program, or in the 
destination document). 


Good Candidates for Linking and 
Embedding 


Linking an object is a good choice when you need 
to keep data in your documents up to date. Here 
are a few examples: 


e You're creating a draft of a report 
that includes slides from a 
PowerPoint presentation that’s not 
yet finished. If the document is 
linked to the presentation file, when 
you finish the presentation, the 
document will reflect the changes. 


e You have a new logo design for 
your business, and you're trying it 
out on letterhead. If you maintain 
the link to the draw file in which the 
logo is stored, when you change 
the logo, the letterhead will reflect 
the changes. 


e You have a sales report due this 
afternoon, but not all the numbers 
are in from your regional sales 
staff. If you import the part of the 
Excel spreadsheet that’s ready and 
establish a link when you update 
the information later, the file will 
reflect the changes. 


Embedding objects is a good idea when you don’t 
need to maintain a link but want to edit the 
object in your document. Here are some 
examples of embedding: 


e You want to send a snapshot of 
current Excel data to a coworker, 


but the information is likely to 
change. 


e You want to add a finished 
spreadsheet object. You don’t need 
to maintain the link, but you might 
want to change the format or 
values later. 


e You’ve added an organization chart, 
but when you send the document to 
different audiences, you need to 
change the roles that are displayed. 


Linking an object to a file establishes a 
one-way link to the source document. 
When you change the information in 
the source—for example, when you 
change the name of a product in the 
PowerPoint presentation you’ve 
imported—the same change is 
reflected in the document to which 
ou’ve linked the information. 


Link for Small File Size 


When you want to keep your files 
small, linking is your best bet. 
Because linked files store only a 
pointer to the source file, the 
destination file size increases only a 
little. Although these types of links 
introduce other potential problems 
(such as broken links to deleted or 
moved source files), they give you the 
flexibility you might need when size is 
a consideration. 


Linking Objects 


Word provides two different ways for you to bring 
linked objects into your documents. You can use 
the Insert Object dialog box to place an existing 
object in your document, and you can use the 
Paste Special command to use the basic copy- 
and-paste procedure to establish and maintain a 
link with the source file. 


Inserting a Linked Object 


Suppose you have a great new banner ad design 
that you want to incorporate in the document 
you're preparing for a client. Although the banner 
ad isn’t quite finished, you want to show the 
client how the ideas are developing in the 
presentation. You decide to add the entire 
presentation to your document as a link in the 
report. 


To insert the object and create a link to the 
source file, follow these steps: 


1. Place the insertion point where you 
want to include the object. 


2. Choose Insert, Object. The Object 
dialog box appears. 


3. Click the Create From File tab (see 
Figure 151). Here you can enter the 
name for the file you want to insert 
and choose whether to link or 
embed the file. 


“-Figure 15-1. The Object 
dialog box gives you the means 
to link or embed objects. 


4. Click Browse. The Browse dialog 
box is displayed. Navigate to the 
folder in which the file you want to 
link is stored, select the file, and 
click Insert. You are returned to the 
Object dialog box. 


5. Select the Link To File check box. 
This tells Word to establish the link 
to the source. 


6. Click OK. The object is inserted, as 
Figure 152 shows. 


“-Figure 15-2. The object is 
placed at the insertion point. 


Run a Presentation 


If your linked object is a PowerPoint 
presentation, run the presentation by 
double-clicking it. You won’t be able to 
edit the presentation, however, 
without opening the source file. 


Troubleshooting 
The Linked Object Is Missing 


So after you go through the steps to 
insert a linked object, it starts to 


appear in your file and then—nothing. 
Just an outline, no object. What’s 
going on? 


If you have enabled Picture 
Placeholders in the Options dialog box, 
Word is saving memory and screen 
update time by showing only the 
outline of the object. You can fix this 
by choosing Tools, Options and 
clearing the Picture Placeholders check 
box on the View tab. 


Create Objects with Create New 


The process of embedding uses the 
Create New tab in the Object dialog 
box. Embedding an object enables you 
to include in your document objects 
you have created in other programs, 
and it also lets you actually create the 


objects from scratch while you are 
working with Word. When you use the 
items in the Create New tab to create 
an embedded object, Word launches 
the program you used to create the 
object; and then after you save and 
close the other program, you are 
returned to Word, and the object is 
embedded in your current document. 


Adding Linked Objects with Paste 
Special 


Another way to add a linked object in your 
document is to use Paste Special. This command 
(available from the Edit menu) copies and pastes 
not only the data but also a link to the source 
file. Start in the Word document to which you 
want to add the linked object, and then follow 
these steps: 


1. Position the insertion point where 
you want to add the object. 


2. Launch the program in which you 
have created the object to be 
linked. Select the section or object, 
and copy the item to the Clipboard. 


3. Return to Word, and choose Edit, 
Paste Special. The Paste Special 
dialog box appears. (For an 
example of the Paste Special dialog 
box, see Figure 155.) 


4. Click the Paste Link option, select 
the object type in the As list box, 
and click OK. Word adds the data 
and the link to your document. 
Note: The Paste Link option is 
available only for objects you've 
created in programs that support 
linking. 


When you want to review the links in 
your current document, choose Edit, 
Links to display the Links dialog box. 


Changing Linked Objects 


Any editing you do on a linked object actually 
takes place in the source file. You can edit a 
linked object in several different ways: 


e You can double-click the object to 
launch the source program. 


e You can click the object, choose 
Edit, Linked Object, and click Edit 
Link. 


e You can right-click the object to 
display the shortcut menu. You can 
then click Linked Object and select 
Edit Link (see Figure 153). This 
takes you to the source file so that 
you can make changes as needed. 


“-Figure 15-3. You can modify a linked 
object and update the changes. 


To modify the source object directly, make your 
changes in the originating program. Save and 
close the object as you would normally. 


When you return to the linked document, select 
the linked object and choose Edit, Update Link (or 
press F9). Depending on how you've set up your 
options for updates, the destination file might be 
updated as soon as you return to it or it might be 
delayed until you manually choose an update. 


For more information on controlling 


the update of linked objects, see the 
section “Updating Links.” 


Working with Links 


The only tricky part to working with linked 
objects in your documents is that managing a 
variety of links can be confusing and a drain on 
your system’s resources. For this reason, Word 
pulls link management together in one place—the 
Links dialog box. To display this box, choose Edit, 
Links (see Figure 154). 


“-Figure 15-4. The Links dialog box gives 
you the means to review, change, update, 
and remove links to objects you've inserted 
in your document. 


Reviewing Links 


In the Source File section of the Links dialog box, 
you see a list of the currently active links in your 
document. You can scroll through the list to 
determine the following: 


e The source file for the object 
e The type of object that’s linked 


e The type of update assigned to the 
object 


Using the various options in the Links dialog box, 
you can change the update method of the link, 
check the source file, modify the location of the 
source file, and review information about the link. 
You can also lock the link or break it to protect 
the destination document from any further 
changes. 


Update Now 


It’s possible for you to have some 
links in the Source File list in the Links 
dialog box that show Auto updates 
and others that show Manual updates. 
You can force the update of a Manual 
link by selecting it in the Source File 
list and clicking Update Now. 


Updating Links 


By default, Word updates any links in your 
document. Each time you open the file, Word 
checks whether any links have changed—a 
process that can take a few minutes if you've 
added many links to your current document. 
Similarly, when you make a change to the source 
file and the destination file happens to be open, 
Word updates the destination file if you’ve got the 
updating options set to update automatically. 


Manually Updating Links 


Word gives you the option of updating links 
automatically or manually. Automatic is nice—you 
don’t have to worry about it—unless sharing files 
is an issue and you want to limit others’ ability to 
change or modify the linked document by editing 
the source. When you want to set a link in your 
document to be manually updated, follow these 
steps: 


1. Choose Edit, Links. The Links dialog 
box appears. 


2. Select the linked object in the 
Source File list. 


3. In the Update Method For Selected 
Link section, click the Manual 


Update option. 


4. Click OK. The object will be updated 
only when you choose Update Link 
from the Edit menu or press F9. 


Locking a Link 


When you get an object just the way you want it 
—your PowerPoint presentation is finished, for 
example, or that logo has finally been approved— 
you can protect the destination from further 
changes by locking the link. When you lock a link, 
it will no longer be updated, even if the source 
file is modified. 


To lock a link, display the Links dialog box, select 
the linked object in the Source File list, and select 
the Locked check box in the Update Method For 
Selected Link section. You can unlock a link later 
if you choose by repeating the first two steps and 
clearing the Locked check box. 


Troubleshooting 


My Changes Are Lost 


If Word crashes and then AutoRecover 
restores your document, you might 
find that your linked object has lost its 
most recent changes and is appearing 
as an outline instead of a fully 
displayed object. To fix these 
problems, save the document, click 
the object, and choose Tools, Options. 
Clear the Picture Placeholders check 
box on the View tab, and click OK to 
close the dialog box. Then, with the 
object still selected, press F9 to force 
a manual update. Word compares the 


object against the source file and 
updates any missing changes. 


Going to the Source 


When you want to look at the source file for your 
document, you can use the Open Source button 
in the Links dialog box to get to it. Simply select 
the link in the Source File list and click Open 
Source. The source program is opened and the 
file is displayed. 


Edit Your Slide Show 


If your source’s native application is 
PowerPoint, Open Source will run a 
slide show rather than displaying 
editing mode for the presentation. To 
launch PowerPoint so that you can 


make changes in the file, right-click 
the object in your Word document and 
choose either Edit Link or Open Link. 
The PowerPoint work area will be 
displayed with the first slide shown in 
Slide view. 


Changing the Source 


When you want to move a source file, the linked 
document needs to know a move has taken 

place. To tell Word the source has moved, choose 
Edit, Links and, with the link selected, click 
Change Source in the Links dialog box. The 
Change Source dialog box appears. Navigate to 
the folder where the source file is now located, 
click the file, and click Open. Click OK to close the 
Links dialog box. 


Breaking Links 


After you have a file in its finished state, you 
might want to break a link to keep the object 
from future modifications. To break the link of a 
selected object, follow these steps: 


1. Display the Links dialog box by 
choosing Edit, Links. 


2. In the Source File list, select the 
link you want to break. 


3. Click Break Link. Word displays a 
message box asking you to confirm 
that you want to proceed with the 
operation. 


4. Click Yes to break the link. The link 
is removed from the list, although 
the object remains in your 
document. Any further changes to 
the source file will not affect your 
document. 


5. Click Close to close the Links dialog 
box. 


If you want to re-establish the link you 
just broke, you can press Ctrl+Z or 
select Undo to re-establish the link. 


Linking Considerations for Shared Files 


As you can see, managing the links for your 
documents could be a fairly complicated process, 
especially if you create a number of links to each 
document and choose to have some updated 
automatically and others updated manually. 
Reviewing your links regularly, as well as keeping 
a list of active links for current files, is a way to 
ensure that an important source file doesn’t 
disappear 15 minutes before a major meeting. 


If your document is linked to a source file on a 
network server, you run the risk that the 
document might be changed, moved, or deleted 
by another user. Although Word looks for the 
missing file, there’s no guarantee it will find it. 
Make sure that you keep active backups of 
important files and that you review your links 
often. 


Another network consideration: If your source file 
is stored in a shared directory, it’s possible that 
another user can access your file and make a 
change without your knowledge. This is fine if the 
change makes things better, but what if the 
change introduces an error you miss? To control 
the access to the file, you can choose to manually 
update the link when you add the linked object. 


Troubleshooting 


The Source File Has Moved 


If you get an error when you try to 
edit a linked or embedded object, 
check to see whether the source file 
has been moved. To do this, click the 
linked object, choose Edit, Links. Use 


the Change Source button in the Links 
dialog box to reconnect the links. 


Embedding Objects 


Embedding objects, by contrast to linking objects, 
is a pretty straightforward process. There are no 
links to worry about or maintain. You simply 
place an object in the document and there it 
stays. Pretty clean and simple. 


The downside of embedded objects is the size of 
the file they create. When you add a PowerPoint 
presentation to your destination document, for 
example, your Word file takes on the weight of 
the additional file. With a linked file, only the link 
to the source file is actually stored in the 
document. 


You also have an additional choice with 
embedded objects that you didn’t have with 
linked objects: You can create a new embedded 
object on the fly. That is, you can create a new 
object while you’re working in your Word 
document. This section explores ways to embed 
data sections, create new embedded objects, edit 
your objects, and convert them to other file 
formats. 


Pasting Data as an Embedded Object 


When you want to embed a portion of a file, you 

can use Paste Special to import the information, 

keeping the formatting intact. Here are the steps 
for embedding a section of data: 


1. In the source program, open the 
data file from which you want to 
copy data. 


2. Select the data, and copy it to the 
Clipboard. 


3. Open your destination document, 
and place the insertion point where 
you want to add the data. 


4. Choose Edit, Paste Special. The 
Paste Special dialog box appears, 
as Figure 155 shows. 


“-Figure 15-5. The Paste Special dialog box 
enables you to both link and embed data. 


Creating an Embedded Object 


What kind of object would you like to add as 
you're working on your Word document? Word 
enables you to create embedded objects as you 
work in Word, using programs such as Microsoft 
Equation 3.0, PowerPoint, Paintbrush, and 
RealNetworks’ RealPlayer. You also can add data 
from Excel, a slide from PowerPoint, a wave 
(sound) file from Microsoft Sound Recorder, a 
video segment from Media Clip, or any number of 
other programs you might have installed on your 
system. 


To create an embedded object in Word, follow 
these steps: 


1. Start in the document to which you 
want to add the embedded object. 


2. Place the insertion point where you 
want to add the object. 


3. Choose Insert, Object. The Insert 
Object dialog box appears, with the 
Create New tab selected, as Figure 
156 shows. 


“-Figure 15-6. You can create 
an embedded object from 
within your Word document. 


4. Scroll through the Object Type list, 
and select the one you want. 


5. If you want to have the embedded 
object displayed as an icon instead 
of a file, select the Display As Icon 
check box. 


6. Click OK to close the dialog box and 
launch the program. Figure 157 
shows the screen that appears 
when Microsoft PowerPoint Slide is 
selected. 


Depending on the 
program you're using to 
create the embedded 
object, the menus you 
see might differ from 
those you see here. 
Different programs offer 
different levels of 
support for object 
linking and embedding. 
If you need help with 
the program you’re 
using to create the 
embedded object, 
consult that program’s 
help system or your 
ram documentation. 


7. In the source program, choose File 
and select the command that 
enables you to close the program 
and return to Word. The program is 
closed, and you are returned to the 
destination document. If you chose 
to display the object as an icon, the 
icon is displayed at the insertion 
point. If you chose to clear the 
Display As Icon check box, the file 
is displayed in full. 


Change the Icon 


If you elect to display the embedded 
object as an icon, a Change Icon 
button appears in the Insert Object 
dialog box that changes the icon used 
in your document. To see the list of 
displayed icons, click the Change Icon 
button, and scroll through the list to 
see the available icons. Click Browse if 
necessary, and select the file you 
want. Click in the Caption box, add a 
caption and click OK to accept the 
change. 


“-Figure 15-7. Creating an embedded object 
in Word involves working in the source 
program. 


Adding an Existing Object 


Adding a file or data section to your document as 
an embedded object allows you to keep all the 
data in one place, which makes your file portable. 
The benefit of embedding a file as opposed to 
copying it in your document is that you can edit 
an embedded object—in its originating program— 
from within your Word document. 


To add an existing object to your Word document, 
follow these steps: 


1. Place the insertion point where you 
want to add the embedded object. 


2. Choose Insert, Object. 


3. Click the Create From File tab (see 
Figure 158). Click Browse, select 
the file you want to embed, and 
click Insert. 


4. If you want the embedded object to 
appear as an icon, select the 
Display As Icon check box. 


5. Click OK to add the object. 


The process for embedding an object 
is only one step removed from adding 
a linked object: In the Create From file 
tab, you don’t select the Link To File 


check box. By leaving this check box 
unselected, you tell Word that the file 
is to be incorporated as an embedded 
object in the current document. 


“-Figure 15-8. Use the Create From File tab 
in the Insert Object dialog box to embed an 


existing file. 


Editing an Embedded Object 


You edit an embedded object by double-clicking it 
—whether the object is a section of a file or an 
entire embedded file. Double-clicking opens the 
program in which the file was created. You can 
make your changes as needed and choose File, 
Close And Return To Microsoft Word to accept the 
changes in your document. 


Troubleshooting 
I Can't Edit an Embedded Object 


You double-click an object to edit it, 
and nothing happens. What’s going 
on? These are the possibilities: 


e Make sure the source 
program is still installed. 
If it’s not, install it or 
convert the embedded 
object to a file format 
you can use. 


e Make sure that you’re 
not running low on 
system memory. If that 
appears to be the 
problem, close all other 
programs to free up 
space. 


e If you're working with a 
linked object on a 
network, make sure that 
no one else has the 
source file open at the 
same time. 


e Make sure that the 
source file hasn’t been 
moved or renamed. 
Check this by clicking 
the object and choosing 
Edit, Links. 


Converting Embedded Objects to Other 
Formats 


Your embedded file has all the data it needs in 
order to be complete. But what happens when 
you copy the file to a disk and take it to another 
computer that doesn’t have the source file? You 
could install the source program—if you have it 
handy. If not, another option is to convert the 
embedded object to a file format you can use. 


To convert an embedded object, follow these 
steps: 


1. Right-click the embedded object. 


2. On the shortcut menu, choose 
Object, Convert. The Convert dialog 
box appears, as Figure 159 shows. 


“-Figure 15-9. Converting an 
embedded object enables you 
to save it in another file 
format. 


3. Choose the file format to which you 
want to convert the embedded file, 
and click OK. The file is converted 
as you selected. 


Use Activate As if you want to open an 
object as the type you select in the 


Object dialog box and then allow it to 
return to its natural object type when 
ou close it. 


Microsoft Excel Inside Out 


Chapter 34 


Debugging Macros and Custom 
Functions 


If you have made it through the last three 
chapters, you now have at least a smattering of 
Microsoft Visual Basic for Applications (VBA) at 
your command—as well as, we hope, an appetite 
for learning more. The best ways to acquire more 
expertise in this versatile programming language 
are to read a text on the subject (such as 
Microsoft Excel 2000/Visual Basic for Applications 
Fundamentals, from Microsoft Press) and to 
experiment. As you do your everyday work in 
Microsoft Excel, look for chores that are ripe for 
automating. When you come across something 
macro-worthy, record your actions. Then inspect 
the code generated by the macro recorder. Make 
sure you understand what the recorder has given 
you (read the Help text for any statements you 
don’t understand), and see whether you can find 
ways to make the code more efficient. Eliminate 
statements that appear unnecessary, and then 
see whether the code still does what you expect 
it to do. Look for statements that select ranges or 
other objects, and see whether you can make 
your code perform the essential tasks without 
first selecting those objects. 


As you experiment, and as you create larger and 
more complex macros and functions, you will 
undoubtedly produce some code that either 
doesn’t run at all or doesn’t give you the result 
you're looking for. Missteps of this kind are an 
inevitable part of the learning process. (They’re 
also an inherent part of programming, even for 
experts.) Fortunately, the VBA language and the 
Visual Basic Editor (VBE) provide tools to help 


you trap errors and root out bugs. Those tools 
are the subject of this chapter. 


In this chapter, you look at two kinds of error- 
catching tools: those that help you at design 
time, when you’re creating or editing code, and 
those that work at run time, while the code is 
running. 


Using Design-Time Tools 


The VBE’s design-time error tools let you correct 
mistakes in VBA syntax and catch misspellings of 
variable names. They also let you follow the “flow” of a 
macro or function (seeing each line of code as it is 
executed) and monitor the values of variables during the 
course of a procedure’s execution. 


Catching Syntax Errors 


If you enter a worksheet formula incorrectly in Excel, 
Excel alerts you to the error and refuses to accept the 
entry. The VBA compiler (the system component that 
converts your English-like VBA code into machine 
language) normally performs the same service for you if 
you enter a VBA expression incorrectly. If you omit a 
required parenthesis, for example, the compiler beeps 
as soon as you press Enter. It also presents an error 
message and displays the offending line of code ina 
contrasting color (red, by default). 


Certain kinds of syntax errors don’t become apparent to 
the compiler until you attempt to run your code. For 
example, if you write the following: 


With Selection.Border 
Weight = xIThin 


.-LineStyle = xlAutomatic 


and attempt to run this code without including an End 
With statement, you will see this error message. 


Pa 


Your procedure will halt, and you will be in break mode. 
(You can tell you're in break mode by the appearance of 
the word break, in brackets, in the VBE title bar. The line 
that the compiler was attempting to execute will be 
highlighted—by default, in yellow.) Break mode lets you 
fix your code and then continue running it. For example, 
if you omit an End With statement, you can add that 
statement while in break mode, and then press F5 (or 
choose Run, Continue) to go on with the show. If you 
want to exit from break mode, rather than continue with 
the execution of your procedure, choose Run, Reset. 


If you don’t like having the compiler complain about 
obvious syntax errors the moment you commit them, 
you can turn that functionality off. Choose Tools, 
Options, click the Editor tab (shown in Figure 34-1), and 
clear the Auto Syntax Check check box. With automatic 


syntax checking turned off, your syntax errors will still 
be flagged when you try to run your code. 


“-Figure 34-1. Clear Auto Syntax Check if you 
don’t want to know about syntax errors until you 
run your code. 


Change color with the Options dialog 
box 


You can also use the Options dialog box to 
change the color that the VBE uses to 
highlight syntax errors. If you don’t like red, 
click the Editor Format tab, select Syntax 
Error Text in the code Colors list, and choose 
a different color. 


Auto Syntax Check is on by default. So are three other 
“auto” options—Auto List Members, Auto Quick Info, and 
Auto Data Tips. These are all useful, and you should 
leave them on, especially if you’re a relative newcomer 
to VBA. Auto List Members and Auto Quick Info help you 
complete a line of VBA code by displaying options 
available at the current insertion point or the names of 
arguments required by the function you’re currently 
entering. Auto Data Tips is relevant only in break mode. 
If you hover your mouse cursor over a variable name in 
break mode, the Auto Data Tips feature displays the 
current value of that variable as a ScreenTip. 


Catching Misspelled Variable Names 


The VBA compiler doesn’t care about the capitalization 
style of your variable names. MyVar, myVar, and myvar 
are identical names as far as the compiler is concerned. 
(If you’re inconsistent about the capitalization of a 
variable name, the VBE adjusts all instances of that 
variable to make them look the same.) If you change 
the spelling of a variable name in mid-program, 
however, the compiler creates a new variable—and 
havoc for your program. An error in programming 
introduced by a misspelled variable can be especially 
treacherous because the program might appear to 
behave normally. 


You can virtually eliminate the possibility of 
inconsistently spelled variable names in a module by 
adding a single statement at the top of that module 
(above any Sub or Function statements): 


OQotion wipe lak cali 


The Option Explicit statement forces you to declare any 
variables used in the current module. You declare 
variables with Dim statements. (For the complete details 
about Dim, type Dim in a module and press F1.) With 
Option Explicit in place, if you use a variable without 
first declaring it, you get a Compile Error at run time. If 
you accidentally misspell a variable name somewhere in 
your program, the misspelled variable will be flagged by 
the compiler as an undeclared variable, and you'll be 
able to fix the problem forthwith. 


You can add Option Explicit to every new module you 
create by choosing Tools, Options, clicking the Editor 
tab, and selecting Require Variable Declaration. This 
option is off by default, but it’s good programming 
practice to turn it on. Option Explicit will do more for you 
than eliminate misspelled variable names. By forcing 
you to declare your variables, it will also encourage you 
to think ahead as you work. 


Stepping Through Code 


The VBE’s step commands cause the compiler to execute 
either a single instruction or a limited set of instructions 
and then pause in break mode, highlighting the next 
instruction that will be executed. Execution is suspended 
until you take another action—such as issuing another 
step command, resuming normal execution, or 
terminating execution. By issuing step commands 
repeatedly, you can follow the procedure’s execution 
path. You can see, for example, which way the program 
branches when it comes to an If statement, or which of 
the alternative paths it takes when it encounters a 
Select Case structure. (A Select Case structure causes 
the program to execute one of a set of alternative 
statements, depending on the value of a particular 
variable. For details, type case in a module and press 
F1.) You can also examine the values of variables at 
each step along the way. 


Monitor variable value 


You can monitor the value of variables by 
displaying the Watch window or the Quick 
Watch dialog box, or by hovering your mouse 
cursor over particular variables while in break 
mode. For information about using the Watch 
window, see “Using the Watch Window to 
Monitor Variable Values and Object 
Properties.” 


You have four step commands at your disposal. You'll 
find these commands—and their keyboard shortcuts—on 
the Debug menu: 


e Step Into executes the next instruction 
only. 


e Step Over works like Step Into unless the 
next instruction is a call to another 
procedure. In that case, Step Into 
executes the entire called procedure as a 
unit. 


e Step Out executes the remaining steps of 
the current procedure. 


e Run To Cursor executes everything up to 
the current cursor position. 


You can run an entire procedure one step at a time by 
pressing F8 (the keyboard shortcut for Debug, Step 
Into) repeatedly. To begin stepping through a procedure 
at a particular instruction, move your cursor to that 
instruction and press Ctrl+F8 (the shortcut for Debug, 
Run To Cursor). Alternatively, you can force the compiler 
to enter break mode when it reaches a particular 
instruction, and then use any of the step commands. 


Setting Breakpoints with the Toggle 
Breakpoint Command 


A breakpoint is an instruction that causes the compiler 
to halt execution and enter break mode. The simplest 
way to set a breakpoint is to put your cursor where you 
want the breakpoint and choose Debug, Toggle 
Breakpoint (or press F9). Choose this command a 
second time to clear a breakpoint. You can set as many 
breakpoints in a procedure as you like using this 
method. The Toggle Breakpoint command sets an 
unconditional breakpoint—one that will always occur 
when execution arrives at the breakpoint. To set a 
conditional breakpoint—one that takes effect only under 
a specified condition—see the next section. 


As Figure 34-2 on shows, the VBE highlights a line 
where you've set a breakpoint in a contrasting color and 
displays a large bullet in the left margin of the Code 
window. To customize the highlighting color, choose 
Tools, Options, click the Editor Format tab, and select 
Breakpoint Text. 
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Figure 34-2. The VBE uses highlighting to mark 
breakpoint lines. 


Setting Conditional Breakpoints Using 
Debug.Assert 


With the Assert method of the Debug object, you can 
cause the VBA compiler to enter break mode only if a 
particular expression generates a FALSE result. Figure 
34-3 provides a simple example. 
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Dim x As Integer 


êd x 9 


Integer Module1 assert 


Figure 34-3. This Debug.Assert statement puts the 
compiler in break mode when the value of x 
becomes 9 or greater. 


The Debug.Assert statement in this otherwise useless bit 
of code asserts that x is less than 9. As long as that 
assertion is true, the procedure runs. When it becomes 
false, the compiler enters break mode. As the Watch 
window in Figure 34-3 shows, the compiler enters break 


mode when x is equal to 9. (The Watch window is 
discussed next.) 


You can also use the Watch window to set 
conditional breakpoints. See “Setting 


Conditional Breakpoints with the Watch 
Window.” 


Using the Watch Window to Monitor Variable 
Values and Object Properties 


The Watch window shows the current values of selected 
variables or expressions and the current property 
settings for selected objects. You can use the Watch 
window to monitor the status of variables and objects as 
you step through a procedure. 


In Figure 34-3, the Watch window shows a single 
variable, x. Figure 34-4 shows a Watch window 
monitoring eight variables. The first four of these are 
object variables—variables set to various worksheet 
ranges. Because objects have properties, the Watch 
window displays outline controls beside the names of 
these variables. Opening an outline control reveals an 
object’s property settings, as Figure 34-5 shows. 
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Figure 34-4. You can monitor the status of 
variables and objects in the Watch window. 
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Figure 34-5. Opening an outline control associated 
with an object or object variable reveals that 
object’s properties. 


To display the Watch window, choose View, Watch 
Window. (To close the window, click its Close button.) To 
add a variable or object to the Watch window, you can 
select it in the Code window and drag it into the Watch 
window. You can add expressions, such as a + 1, to the 
Watch window in this manner. Alternatively, you can add 
something to the Watch window by choosing Debug, Add 
Watch. In the Expression box of the Add Watch dialog 
box (see Figure 34-6), type a variable name or other 
valid VBA expression. 


“Figure 34-6. You can use the Add Watch dialog 
box to add a watch variable or set a conditional 
breakpoint. 


Setting Conditional Breakpoints with the 
Watch Window 


As Figure 34-6 shows, you can use the Add Watch dialog 
box to set a conditional breakpoint. Choose Debug, Add 
Watch, specify the name of a variable or a VBA 


expression, and then select either Break When Value Is 
True or Break When Value Changes. Selecting Break 
When Value Is True for an expression is comparable to 
using a Debug.Assert statement to set a conditional 
breakpoint. The difference is that Debug.Assert causes a 
break when an expression becomes false, and the Break 
When Value Is True option does the opposite. 


Using Quick Watch to Monitor a Variable or 
Add a Watch Item 


In break mode you can select any variable name or 
expression in your code and choose Debug, Quick Watch 
(or press Shift + F9) to see the current value of the 
selected item. If you decide you want to monitor that 
item continuously, you can click Add in the Quick Watch 
dialog box. The VBE then adds the item to the Watch 
window. 


Using the Immediate Window 


While in break mode, or before running a procedure, 
you can execute any VBA statement in the Immediate 
window. (If the Immediate window isn’t visible, choose 
View, Immediate Window or press Ctril+G.) For example, 
you can find out the value of a variable x by typing 
Print x in the Immediate window. (As a shortcut, you 
can type ?x. The question-mark character is a synonym 
for Print in VBA.) 


You can also use the Immediate window to monitor 
action in a procedure while that procedure is running. 
You do this by inserting Debug.Print statements into the 
procedure. The statement Debug.Print x, for example, 
displays the current value of x in the Immediate window. 


The Immediate window can be a handy place to test 
VBA statements while you’re still wrestling with the 
syntax of this programming language. If you’re not sure 
that a particular statement will have the effect that you 
intend, you can try it out in the Immediate window and 
see what happens. 


Dealing with Run-Time Errors 


In many cases, run-time errors are caused by factors outside your control. For 
example, suppose you have written the following macro to format the numbers 
in a selected range using the Indian system of lakhs and crores: 


Sub LakhsCrores () 


For Hach cell In Selection 


If Abs(cell.Value) > 10000000 Then 


cell.NumberFormat = a nie been a cage ULLAL cote 


ElseIf Abs(cell.Value) > 100000 Then 


cell.NumberFormat = "##"™", "U#E"", ""HHEE" 


macl LE 


Next cell 


End Sub 


This macro works fine if the person who runs it selects a range containing 
numbers before running the macro. But if the user selects something else—a 
chart, for example—VBA displays the error message shown here. 


Pa 


The macro generates run-time error 438 and enters break mode because the 
For Each statement has to be applied to a collection or an array, and a chart 
object is neither (a range is a collection of cells, so For Each does work with a 
range). Even though you can figure out easily enough what the error message 
means and what you have to do about it (try again with a range selected), the 
message might still be annoying. If you intend for this macro to be used by 
someone else, it’s definitely impolite to let that other user see such a message. 


You can “trap” an error like this—that is, shield yourself and others from VBA’s 
run-time error messages—by means of an On Error Goto statement. The 
statement must appear before the code that might cause a run-time error, and 
it has the following syntax, where label is a name that identifies an error- 
handling section elsewhere in your program. 


On Error Goto label 


If a run-time error occurs, the On Error Goto statement transfers execution to 
the error-handling code. In the case of your LakhsCrores routine, the macro 
complete with error handling might look like this: 


Sub LakhsCrores () 


“Catch run-time error caused by inappropriate selection 


On Error GoTo Errorhandler 


For Each cell In Selection 


Lic Nos (CELL. Walwue) > OUUU OOUT Whim 


cell.NumberFormat = Mae M UM aie eM es ee 


ElseIf Abs(cell.Value) > 100000 Then 


cell.NumberFormat = "##"", ""#E", "UHEE" 


PURS: 


Next cell 


“Exit sub statement keeps execution from entering 


“error handler if no error occurs 


BLE Silo 


“Error handler 


Errorhandler: 


MsgBox "Please select a worksheet range" 


End Sub 


Notice that the error handler goes at the end of the program, introduced by the 
label that appeared in the On Error statement. The label must be followed by a 
colon and must appear on a line by itself. An Exit Sub statement appears 
before the error handler. This statement terminates the macro when no run- 
time error occurs; without it, execution would “fall into” the error handler 
regardless of whether an error occurred. Now when the user runs the macro 
after selecting a chart object, the user sees a polite message box instead of a 
rude VBA run-time error message. 


The macro still has a problem, however. The code works fine when the selected 
work-sheet range includes numbers, text, or blank cells. If it includes a cell 
containing an Excel error constant, such as #NA, however, a different run-time 
error occurs—error number 13, Type Mismatch. The message box generated by 
the error handler shown previously would not be appropriate for this kind of 
error. 


How do you make your code show one message for a non-range selection and 
another for a range that includes one or more error values? You use the 
Number property of the Err object. This property is always set to the most 
recent run-time error number (or 0, if no procedure is running or if no error 
has occurred). You could handle both run-time errors (438 and 13) with the 
following code: 


ErrorHandler: 


Err.Number=438 Then 


MsgBox "Please select a worksheet range" 


MsgBox "Please select a range without error vi 


ERA Iie 


In case the code is susceptible to some other run-time error |1 


lhieie@elalelinelLeve 2 


Err.Number = 438 Then 


MsgBox "Please select a worksheet range" 


BlseIlf Err.Number = 13 Then 


MsgBox "Please select a range without error vi 


Else 


MsgBox "Sorry! Unknown error!" 


Hine! Ii 


This isn’t particularly elegant, but at least you’ve got all the bases more-or-less 
covered. 


The foregoing error-handler examples assume that your program should 
terminate when a run-time error occurs. The purpose of the error handler is to 
prevent the jolting VBA message from showing up—and to provide the user 
with a simple explanation of what has gone wrong. 


In some cases you'll want your procedure to continue running after a run-time 
error occurs. In such a case, your error handler needs to return VBA to the 
appropriate instruction so that it can continue executing your program. Use 
either a Resume or Resume Next statement to do this. A Resume statement 
causes VBA to re-execute the line that caused the error. A Resume Next 
statement causes VBA to continue at the line that follows the line that caused 
the error. 


By combining On Error with Resume Next, you can tell VBA to ignore any run- 
time error that might occur and go to the next statement. If you’re sure you’ve 
anticipated all the kinds of run-time errors that might occur with your program, 
On Error Resume Next can often be the simplest and most effective way to deal 
with potential mishaps. In the LakhsCrores macro, for example, you can write 
the following: 


Sub LakhsCrores () 


“Tell VBA to ignore all run-time errors 


On Error Resume Next 


For Hach cell In Selection 


If Abs(cell.Value) > 10000000 Then 


cell.NumberFormat = ELUN AN ea eA CAN o OAN sieaa UU AU o AATU ees ce ca AN 


ElseIf Abs(cell.Value) > 100000 Then 


cell.NumberFormat = "##"",""##"",""###" 


axel Iie 


Next cell 


alice Silo 


With this code, if the user selects a chart and runs the macro, the run-time 
error is ignored, the program moves on to the For Each block, and nothing 
happens—because nothing can happen. If the user selects a range containing 
one or more error values, the program skips over those cells that it can’t 
format and formats the ones it can. In all cases, neither error message nor 
message box appears, and all is well. This solution is ideal for this particular 
macro. 


Of course, when you use On Error Resume Next, you're disabling VBA’s run- 
time checking altogether. You should do this only when you're sure you've 
thought of everything that could possibly go awry—and the best way to arrive 
at that serene certainty is to test, test, and then test some more. 


Microsoft Outlook Inside Out 
Chapter 1 


Outlook Architecture, Setup, 
and Startup 


This chapter provides an overview of Microsoft 
Outlook’s architecture to help you learn not only 
how Outlook works but also how it stores data. 
Having that knowledge, particularly if you’re 
charged with administering or supporting Outlook 
for other users, will help you use the application 
more effectively and address issues related to 
data storage and security, archiving, working 
offline, and moving data between installations. 


This chapter also explains the different options 
you have for connecting to e-mail servers 
through Outlook and the protocols (POP3 and 
IMAP, for example) that support those 
connections. In addition to learning about client 
support and the various platforms on which you 
can use Outlook, you'll also learn about the 
options that are available for starting and using 
the program. 


If you’re anxious to get started using Outlook, 
you could skip this chapter and move straight to 
Chapter 2, “Advanced Setup Tasks,” to learn how 
to configure your e-mail accounts and begin 
working with Outlook. However, this chapter 
provides the foundation on which many 
subsequent chapters are based, and reading it 
will help you gain a deeper understanding of what 
Outlook can do so that you can use it effectively 
and efficiently. 


Overview of Outlook 


In many respects, Outlook is a personal information 
manager (PIM). A traditional PIM lets you maintain 
information about your contacts, such as your 
customers, coworkers, and clients. Traditional PIMs also 
let you keep track of your daily schedule, tasks to 
complete, and other personal or work-related 
information. Outlook does all that, but it goes well 
beyond the features of most PIMs to provide e-mail and 
fax support, group scheduling capability, and task 
management. 


Outlook provides a broad range of capabilities to help 
you manage your entire work day. In fact, a growing 
number of Microsoft Office users work in Outlook more 
than 60 percent of the time. An understanding of 
Outlook’s capabilities and features is important not only 
to using Office effectively but also to managing your 
time and projects. The following sections will help you 
learn to use the features in Outlook to simplify your 
work day and enhance your productivity. 


Messaging 


One of the key features Outlook offers is messaging. You 
can use Outlook as a client to send and receive e-mail 
through a variety of services. Outlook offers integrated 
support for the following e-mail services: 


A client application is one that uses a service 
provided by another computer, typically a 
server. 


Exchange Server Outlook provides full support for 
Microsoft Exchange Server, which means you can take 
advantage of workgroup scheduling, collaboration, 
instant messaging, and other features offered through 
Exchange Server that aren't available with other clients. 
For example, you can use any POP3 e-mail client, such 
as Outlook Express, to connect to an Exchange Server 
(assuming the Exchange Server is running an Internet 
Mail Connector), but you’re limited to e-mail only. 
Advanced workgroup and other special features—being 
able to recall a message before it is read, use public 
folders, and vote, for example—require Outlook. 


Internet e-mail Outlook provides full support for 
Internet e-mail servers, which means you can use 
Outlook to send and receive e-mail through mail servers 
that support Internet-based standards, such as POP3 
and IMAP. What’s more, you can integrate Internet mail 
accounts with other accounts, such as an Exchange 
Server account, to send and receive messages through 
multiple servers. For example, you might maintain an 
account on your Exchange Server for interoffice 
correspondence and use a local Internet service provider 
(ISP), CompuServe, Bigfoot, or other Internet-based 
email service for messages outside your network. Or 
perhaps you want to monitor your personal e-mail along 
with your work-related e-mail. In that situation, you 
would simply add your personal e-mail account to your 
Outlook profile and work with both simultaneously. You 
can use rules and custom folders to help separate your 
messages. 


For more information about messaging 


protocols such as POP3 and IMAP, see 
“Understanding Messaging Protocols” . 


newfeature! HTTP-based e-mail Outlook 2002 
supports HTTP-based email services, such as Microsoft 
Hotmail. HTTP (Hypertext Transfer Protocol) is the 
protocol used to request and transmit Web pages. This 
means you can use Outlook to send and receive e-mail 
through Hotmail and other HTTP-based mail servers that 
would otherwise require you to use a Web browser to 
access your e-mail (see Figure 1-1). In addition, you can 
download your messages to your local inbox and process 
them offline, rather than remaining connected to your 
ISP while you process messages. Another advantage is 
that you can keep your messages as long as you want— 
most HTTP-based messaging services, including Hotmail, 
purge read messages after a given period of time. Plus, 
HTTP support in Outlook lets you keep all your e-mail in 
a single application. Currently, Outlook 2002 directly 
supports Hotmail. Check with your e-mail service to 
determine whether your mail server is Outlook- 
compatible. 


“-Figure 1-1. HTTP-based mail servers such as 
Hotmail have traditionally required access through a 
Web browser. 


Fax send and receive Outlook 2002 includes a Fax 
Mail Transport provider, which allows you to send and 
receive faxes using a fax modem. The Fax Mail Transport 
included with Outlook provides Messaging Application 
Programming Interface (MAPI) support so that incoming 
fax messages can be routed through your Outlook 
Inbox, with the MAPI-aware fax application handling the 
actual fax processing (send, receive, view, and so on). 
Most Microsoft platforms provide built-in fax capability, 
but actual support varies from one platform to another. 
In addition, third-party developers can provide MAPI 
integration with their fax applications, allowing you to 
use Outlook as the front end for those applications to 
send and receive faxes. Symantec’s WinFax is a good 
example of such an application. The fax service in 
Microsoft Windows 2000 also supports MAPI and Inbox 


integration with Outlook and is the only Microsoft- 
supplied fax service supported by Microsoft for Outlook. 


Windows 2000 fax service is now the only fax 
support offered for Windows. Windows 9x 


users will need to purchase a third-party fax 
application such as WinFax. 


For a detailed explanation of how to use 
Outlook to send and receive faxes (complete 
with cover pages and other details), see 
Chapter 9, “Sending and Receiving Faxes.” 


Extensible e-mail support Outlook’s design allows 
developers to support third-party e-mail services in 
Outlook, such as cc:Mail and Lotus Notes. This support 
doesn’t guarantee the availability of these third-party 
tools, however. For example, although earlier versions of 
Outlook included support for cc:Mail, Microsoft no longer 
offers its own service provider for support of cc:Mail. 


Outlook 2002 does not include the Microsoft 
Mail service provider. Microsoft no longer 


supports this product and customers who 
used this service will need to find another 
service provider. 


Whatever your e-mail server type, Outlook provides a 
comprehensive set of tools for composing, receiving, 
and replying to messages. Outlook provides support for 
rich-text and HTML formatting, which allows you to 
create and receive messages that contain much more 
than just text (see Figure 1-2). For example, you can 
send a Web page as a mail message or integrate sound, 
video, and graphics in mail messages. Outlook’s support 
for multiple address books, multiple e-mail accounts, 
and even multiple e-mail services makes it an excellent 
messaging client, even if you forgo the application’s 
many other features and capabilities. 


Scheduling 


Scheduling is another important feature in Outlook. You 
can use Outlook to track both personal and work-related 
meetings and appointments (see Figure 1-3), whether at 
home or in the office, a useful feature even on a stand- 
alone computer. 


“Figure 1-2. Use Outlook to create rich-text and 
multimedia messages. 
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Figure 1-3. Track your personal and work 
schedules with Outlook. 


newfeature! Where Outlook’s scheduling capabilities 
really shine, however, is in group scheduling. When you 
use Outlook to set up meetings and appointments with 
others, you can view the schedules of your invitees, 
which makes it easy to find a time when everyone can 
attend. You can schedule both one-time and recurring 
appointments. All appointments and meetings can 
include a reminder with a lead time that you specify, and 
Outlook will notify you of the event at the specified time. 
A new feature in Outlook 2002 lets you process multiple 


reminders at one time, a useful feature if you’ve been 
out of the office for a while. 


newfeature! Organizing your schedule is also one of 
Outlook’s strong suits. You can use categories and types 
to categorize appointments, events, and meetings; to 
control the way they appear in Outlook; and to perform 
automatic processing. Color labels allow you to identify 
quickly and visually different types of events on your 
calendar. 


In addition to managing your own schedule, you can 
delegate control of the schedule to someone else, such 
as your assistant. The assistant can modify your 
schedule, request meetings, respond to meeting 
invitations, and otherwise act on your behalf regarding 
your calendar. Not only can others view your schedule to 
plan meetings and appointments (with the exception of 
items marked personal), but you can also publish your 
schedule to the Web to allow others to view it over an 
intranet or the Internet (see Figure 1-4). 


“-Figure 1-4. You can easily publish your schedule 
to the Web. 


Contact Management 


Being able to manage contact information—names, 
addresses, and phone numbers—is critical to other 
aspects of Outlook, such as scheduling and messaging. 
Outlook makes it easy to manage contacts and offers 
flexibility in the type of information you maintain. In 
addition to basic information, you can also store a 
contact’s fax number, cell phone number, pager number, 
Web page URL, and more (see Figure 1-5). 


“-Figure 1-5. You can manage a wealth of 
information about each contact. 


Besides using contact information to address e-mail 
messages, you can initiate phone calls using the 
contacts list, track calls to contacts in the journal, add 
notes for each contact, use the contacts list to create 
mail merge documents, and perform other tasks. The 
Contacts folder also provides a means for storing a 
contact’s digital certificate, which you can use to 
exchange encrypted messages for security. Adding a 
contact’s certificate is easy—just receive a digitally 
signed message from the contact and Outlook will add 
the certificate to the contact’s entry. You can also import 
a certificate from a file provided by the contact. 


For details about digital signatures and 
encryption, see “Encrypting Messages” . For 
additional information on the journal, see 


“Tracking with Outlook’s Journal” . For 
complete details on how to use the journal, 
see Chapter 17, “Keeping a Journal.” 


Task Management 


Managing your work day usually includes keeping track 
of the tasks you need to perform and assigning tasks to 
others. Outlook makes it easy to manage your task list. 
You assign a due date, start date, priority, category, and 
other properties to each task, which makes it easier for 
you to manage those tasks (see Figure 1-6). As with 
meetings and appointments, Outlook keeps you 
informed and on track by issuing reminders for each 
task. You control whether the reminder is used and the 
time and date it’s generated, along with an optional, 
audible notification. You can designate a task as 
personal, preventing others from viewing the task in 
your schedule—just as you can with meetings and 
appointments. Tasks can be one-time or recurring. 


“-Figure 1-6. Use Outlook to manage tasks. 


If you manage others, Outlook makes it easy to assign 
tasks to other Outlook users. When you create a task, 
you simply click Assign Task, and Outlook prompts you 
for the assignee’s e-mail address. You can choose to 
keep a copy of the updated task in your own task list 
and receive a status report when the task is complete. 


Tracking with Outlook’s Journal 


Keeping track of events is an important part of 
managing your work day, and Outlook’s journal makes it 
simple. The Journal folder allows you to keep track of 
the contacts you make (phone calls, e-mails, and so on), 
meeting actions, task requests and responses, and other 
actions for selected contacts (see Figure 1-7). You can 
also use the journal to track your work in other Microsoft 
Office applications, giving you a way to track the time 
you spend on various documents and their associated 
projects. You can have Outlook journal items 
automatically based on settings that you specify, and 
you can also add items manually to your journal. 


“-Figure 1-7. Configure your journal using 
Outlook’s options. 


When you view the journal, you can double-click a 
journal entry to either open the entry or open the items 
referred to by the entry, depending on how you have 
configured the journal. You can also configure the 
journal to automatically archive items to the default 
archive folder or a folder you choose, or you can have 
Outlook regularly delete items from the journal, cleaning 
out items that are older than a specified length of time. 
Outlook can use group policies to control the retention 
of journal entries, allowing a system administrator to 
manage journaling and data retention consistently 
throughout an organization. 


Organizing Your Thoughts with Notes 


With Outlook, you can keep track of your thoughts and 
tasks by using the Notes folder. Each note can function 
as a Stand-alone window, allowing you to view notes on 
your desktop outside Outlook (see Figure 1-8). Notes 
exist as individual message files, so you can copy or 
move them to other folders, including your desktop, or 
easily share them with others through network sharing 
or e-mail. You can also incorporate the contents of notes 
into other applications or other Outlook folders by using 
the clipboard. For example, you might copy a note 
regarding a contact to that person’s contact entry. As 
you can with other Outlook items, you can assign 
categories to notes to help you organize and view them. 
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Figure 1-8. Use notes to keep track of 
miscellaneous information. 


How Outlook Stores Data 


If you work with Outlook primarily as a user, 
understanding how the program stores data will 
help you use it effectively to organize and 
manage your data on a daily basis, including 
storing and archiving Outlook items as needed. If 
you're charged with supporting other Outlook 
users, understanding how Outlook stores data 
will allow you to help others create and manage 
their folders and ensure the security and integrity 
of their data. And finally, because data storage is 
the foundation of all Outlook’s features, 
understanding where and how the program 
stores data is critical if you’re creating Outlook- 
based applications—for example, a data entry 
form that uses Outlook as the mechanism for 
posting the data to a public folder. 


For information on building Outlook- 
based applications, see Chapters 40 
through 43, which cover programming 


Outlook using Visual Basic and 
VBScript to create custom forms and 
applications. 


You're probably familiar with folders (directories) 
in the file system. You use these folders to 
organize applications and documents. For 
example, the Program Files folder in the Microsoft 
Windows operating system is the default location 
for most applications that you install on the 
system, and the My Documents folder serves as 
the default location for document files. You create 
these types of folders in Windows Explorer. 


Outlook also uses folders to organize data, but 
these folders are different from your file system 


folders. Rather than existing individually on your 
system’s hard disk, these folders exist within 
Outlook’s file structure. You view and manage 
these folders within Outlook’s interface, not in 
Windows Explorer. Think of Outlook’s folders as 
windows into your Outlook data rather than as 
individual elements that exist on disk. By default, 
Outlook includes several folders, as shown in 
Figure 1-9. 


“-Figure 1-9. Folders organize your data in 
Outlook. 


Personal Folders—PST Files 


If your Outlook folders aren’t stored as individual 
folders on your system’s hard disk, where are 
they? The answer to that question depends on 
how you configure Outlook. As in earlier versions 
of Outlook, you can use a personal folders file to 
store your Outlook data. Outlook uses the PST 
file extension for a personal folders file, but you 
specify the file’s name when you configure 
Outlook. For example, you might use your name 
as the file name to help you easily identify the 
file. The default PST file contains your Contacts, 
Calendar, Tasks, and other folders. 


You can use multiple PST files, adding additional 
personal folders to your Outlook configuration 
(see Figure 1-10). For example, you might want 
to create another set of folders to separate your 
personal information from work-related data. As 
you'll learn in Chapter 2, you can add personal 
folders to your Outlook configuration simply by 
adding another PST file to your profile. 


“-Figure 1-10. You can add multiple sets of 
folders to your Outlook configuration. 


If you use Outlook as an Exchange 
Server client, you probably store your 
data in the Exchange Server mailbox 
rather than in a local PST file. If that’s 


the case, you need to use an offline 
folder (OST) file in order to work 
offline. OST files are covered in the 
following section. 


OST Files 


If you use Outlook as an Exchange Server client 
and do not use PST files to store your data 
(instead storing your data on the Exchange 
Server), OST files will allow you to work offline. 
The OST file acts essentially as an offline copy of 
your data store on the Exchange Server. When 
you're working offline, changes you make to 
contacts, messages, and other Outlook items and 
folders occur in the offline store. When you go 
online again, Outlook synchronizes the changes 
between the offline store and your Exchange 
Server store. For example, if you’ve deleted 
messages from your offline store, Outlook deletes 
those same messages from your online store 
when you synchronize the folders. Any new 
messages in your Inbox on the server are added 
to your offline store. Synchronization is a two- 
way process, providing the most up-to-date copy 
of your data in both locations, ensuring that 
changes made in each are reflected in the other. 


For detailed information on important 
offline and remote access topics, see 
Chapter 35, “Working Offline and 


Remotely.” For a discussion of the 
differences between remote mail and 
offline use, see Chapter 13, 
“Processing Messages Selectively.” 


Where Storage Files Are Located 


When you create an Outlook storage file, Outlook 
defaults to a specific location for the file that 
varies according to your operating system: 


e Windows 9x. The default location is 
\Windows\Local 
Settings\Application 
Data\Microsoft\Outlook. On 
systems running Windows 9x that 
are configured to maintain unique 
user profiles (useful where multiple 
users share a single Windows 9x 
computer), the user profiles are 
stored in the \Profiles folder. On 
these systems, Outlook places the 
storage files by default in \Profiles\ 
<user>\Local Settings\Application 
Data\ Microsoft\Outlook. 


To maintain unique user 
profiles in Windows 98, 


configure Windows 
through the Users icon 
in Control Panel. 


e Windows NT. The default location 
for systems running Windows NT is 
\Ysystemroot%\Profiles\ 
<user>\Local Settings\Application 
Data\Microsoft\Outlook, where 
%systemroot% by default is 
\Winnt. 


e Windows 2000. The default 
location is \Documents And 
Settings\<user> \Local 
Settings\Application 


Data\Microsoft\Outlook. On 
systems running Windows 2000 
that were upgraded from Windows 
NT, the user profiles still reside in 
the \Winnt\Profiles folder. On these 
systems, therefore, Outlook places 
the storage files by default in 
\%systemroot%\Profiles\ 
<user>\Local Settings\Application 
Data\Microsoft\Outlook. As with 
Windows NT, %systemroot% 
defaults to \Winnt. 


Find your data store 


If you’re having trouble locating your 
existing storage files, choose File, 
Data File Management. In the Outlook 
Data Files dialog box (see Figure 1- 
11), select the file you want to locate 
and then determine the file location 
from the Filename column. If you can’t 
see the entire path, drag the column 
border to expand the column. 
Alternatively, to go straight to the 
folder containing the file, select the 
file and click Open Folder. In the folder 
window, choose Tools, Folder Options. 
From the View tab of the Folder 
Options dialog box, select Display The 
Full Path In The Title Bar to view the 
absolute, full path to the file. You can 
also use your operating system's 
Find/Search command to search for all 
files with a PST or OST file extension. 


“-Figure 1-11. Locate your data files by 
using the Outlook Data Files dialog box. 


If you use the same computer all the time, it’s 
generally best to store your Outlook files on your 
system's local hard disk. In some situations, 
however, you will probably want to store them on 
a network share. For example, you might connect 
from different computers on the network and use 
a roaming profile to provide a consistent desktop 
and user interface regardless of your logon 
location. (A roaming profile allows your desktop 
configuration, documents, and other elements of 
your desktop environment to be duplicated 
wherever you log on.) In this situation, you (or 
the network administrator) would configure your 
profile to place your home folder on a network 
server that is available to you from all logon 
locations. Your Outlook files would then be stored 
on that network share, making them available to 
you on whichever computer you use to log on to 
the network. Placing your Outlook files on a 
server gives you the added potential benefit of 
incorporating your Outlook data files in the 
server's backup strategy. 


For a detailed discussion of using 
roaming profiles to provide seamless 
access to Outlook, see Chapter 37, 
“Network, Platform, and Deployment 
Considerations.” To learn how to move 


your Outlook files from one location to 
another (such as from a local drive to 
a network share), see “Changing Your 
Data Storage Location”. 


Troubleshooting 


You use a roaming profile and 
logon time Is increasing. 


If you use Outlook as a client for 
Exchange Server, your best option is 
to use your Exchange Server mailbox 
as the store location for your data 
rather than using a PST file. However, 
if you use a roaming profile for 
consistent logon from multiple 
locations on the local area network 
(LAN), consider including the OST file 
in the roaming profile so that you'll 
always have access to it. If the 
Exchange Server is unavailable, you'll 
still be able to work with your Outlook 
data through the OST file; and placing 
the OST file in your roaming profile 
allows you to use it regardless of your 
logon location. 


Keep in mind, however, that the OST 
file can become quite large if you have 
a lot of data in your Exchange Server 
mailbox. The size of the profile affects 
logon time, and a large profile can 
Cause an excessive amount of network 
traffic as the files are copied from the 
server to your workstation. Use 
aggressive archiving and other 
housecleaning methods to keep your 
Outlook data to a minimum, and 
monitor your roaming profile size as 
often as possible. 


Sharing Storage Files 


Outlook provides excellent functionality for 
sharing information with others. Toward that end, 
you can share your data using a couple of 
different methods. You can configure permissions 
for individual folders to allow specific users to 
connect to those folders and view the data 
contained in them. You can also configure 
delegate access to your folders to allow an 
assistant to manage items for you in the folders. 
For example, you might have your assistant 
manage your schedule but not your tasks. In that 
case, you would configure delegate access for the 
Calendar folder but not for the Tasks folder. 


For a detailed discussion of delegation, 
see Chapter 27, “Delegating 
Responsibilities to an Assistant.” To 
learn how to configure sharing 


permissions for individual folders and 
additional methods for sharing data, 
see Chapter 34, “Sharing Information 
with Others.” 


Understanding Messaging 
Protocols 


A messaging protocol is a mechanism that messaging 
servers and applications use to transfer messages. 
Being able to use a specific e-mail service requires 
that your application support the same protocols the 
server uses. In order to configure Outlook as a 
messaging client, you need to understand the various 
protocols supported by Outlook and the types of 
servers that employ each type. The following sections 
provide an overview of these protocols. 


SMTP/POPS3 


Simple Mail Transport Protocol (SMTP) is a standards- 
based protocol used for transferring messages and is 
the primary mechanism that Internet-based and 
intranet-based email servers use to transfer 
messages. It’s also the mechanism that Outlook uses 
to connect to a mail server to send messages for an 
Internet account. Therefore, SMTP is the protocol 
used by an Internet mail account for outgoing 
messages. 


SMTP operates by default on TCP port 25. When you 
configure an Internet-based email account, the 
outgoing mail server setting is determined by the port 
on which the server is listening for SMTP. Unless your 
e-mail server uses a different port (unlikely), you can 
use the default port value of 25. 


Post Office Protocol 3 (POP3) is a standards-based 
protocol that clients can use to access messages from 
any mail server that supports POP3. This is the 
protocol that Outlook uses when retrieving messages 
from an Internet-based or intranet-based mail server 
that supports POP3 mailboxes. ISP-based mail servers 
invariably use POP3, as do other mail servers. For 
example, CompuServe Classic provides POP3 support, 
allowing you to retrieve your CompuServe mail 
through Outlook. Exchange Server also supports the 
use of POP3 for retrieving mail. 


POP3 operates on TCP port 110 by default. Unless 
your server uses a nonstandard port configuration, 
you can leave the port setting as is when defining a 
POP3 mail account. Figure 1-12 shows the Internet E- 
Mail Settings dialog box, which you use to configure 
the incoming and outgoing mail server settings for an 
Internet mail account. Click the More Settings button 
if you need to change port settings for the account. 


To learn how to set up an Internet e-mail 
account for an SMTP/POP3 server, see 


“Using Internet POP3 E-Mail Accounts”. To 
learn how to add the account and 
configure advanced properties, such as 
SMTP or POP3 port assignments, see 
“Configuring Advanced Settings for 
Internet Accounts”. 


“-Figure 1-12. Use the E-Mail Accounts Wizard’s 
Internet E-Mail Settings page to configure the 
incoming and outgoing mail server settings. 


IMAP 


Like POP3, Internet Mail Access Protocol (IMAP) is a 
standards-based protocol that enables message 
transfer. However, IMAP offers some significant 
differences from POP3. For example, POP3 is primarily 
designed as an offline protocol, which means you 
retrieve your messages from a server and download 
them to your local message store (such as your local 
Outlook folders). IMAP is designed primarily as an 
online protocol, which allows a remote user to 
manipulate messages and message folders on the 
server without having to download them. This is 
particularly helpful for users who need to access the 
same remote mailbox from multiple locations, such as 
from home and work, using different computers. 
Because the messages remain on the server, IMAP 
eliminates the need for message synchronization. 


Keep messages on the server 


You can configure a POP3 account in 
Outlook to leave a copy of messages on 


the server, allowing you to retrieve those 
messages later from another computer. To 
learn how to configure a POP3 account, 
see “Using Internet POP3 E-Mail Accounts”. 


IMAP offers other advantages over POP3. For 
example, with IMAP, you can search for messages on 
the server using a variety of message attributes, such 
as sender, message size, or message header. IMAP 
also offers better support for attachments, because it 
can separate attachments from the header and text 
portion of a message. This is particularly useful with 
multipart MIME messages, allowing you to read a 
message without downloading the attachments so 
that you can decide which attachments you want to 
retrieve. With POP3, the entire message must be 
downloaded. 


Security is another advantage of IMAP, because IMAP 
uses a challenge-response mechanism to authenticate 
the user for mailbox access. This prevents the user’s 
password from being transmitted as clear text across 
the network, as it is with POP3. 


IMAP support in Outlook allows you to use Outlook as 
a client to an IMAP-compliant e-mail server. Although 
IMAP provides for server-side storage and the ability 
to create additional mail folders on the server, it does 
not offer some of the same features as Exchange 
Server or even POP3. For example, you can’t store 
nonmail folders on the server. Also, special folders 
such as Sent Items, Drafts, and Deleted Items can’t 
be stored on the IMAP server. Even with these 
limitations, however, IMAP serves as a flexible 
protocol and surpasses POP3 in capability. Unless a 
competing standard appears in the future, it is likely 
that IMAP will replace POP3. 


For information about other advantages 
and disadvantages of IMAP and how they 
affect Outlook, see “Using IMAP Accounts”. 


For additional technical information on 
IMAP, point your browser to 

http ://www.ima.com/documents/index.ht 
ml#white or 
http://www.cyrusoft.com/imap/imapInfo.h 
tml, or refer to RFC 2060, which you can 
find at http://www. ietf.org/rfc/rfc2060.txt. 


MAPI 


Messaging Application Programming Interface (MAPI) 
is a Microsoft-developed application programming 
interface (API) that facilitates communication 
between mail-enabled applications. MAPI support 
makes it possible for other applications to send and 
receive messages using Outlook. For example, third- 
party fax applications, such as Symantec’s WinFax, 
can place incoming faxes in your Inbox through MAPI. 
As another example, a third-party MAPI-aware 
application could read and write to your Outlook 
Address Book through MAPI calls. MAPI is not a 
message protocol, but understanding its function in 
Outlook will help you install, configure, and use MAPI- 
aware applications to integrate Outlook. 


LDAP 


Lightweight Directory Access Protocol (LDAP) was 
designed to serve with less overhead and fewer 
resource requirements than its precursor, the 
Directory Access Protocol, which was developed for 
X.500. LDAP is a standards-based protocol that allows 
clients to query data in a directory service over a TCP 
connection. For example, Windows 2000 uses LDAP 
as the primary means for querying the Active 
Directory (AD). Exchange Server supports LDAP 
queries, allowing clients to look up address 
information for subscribers on the server. Other 
directory services on the Internet, such as Bigfoot, 
InfoSpace, Yahoo!, and others, employ LDAP to 
implement searches of their databases. 


Like Outlook Express, Outlook 2002 allows you to add 
directory service accounts that use LDAP as their 
protocol to query directory services for e-mail 
addresses, phone numbers, and other information 
regarding subscribers. 


To learn how to add and configure an LDAP 
directory service in Outlook, see 
“Configuring a Directory Service Account in 
Outlook”. 


For additional information regarding LDAP, 


refer to “MS Strategy for Lightweight 
Directory Access Protocol (LDAP),” 
available in the NT Server Technical Notes 
section of Microsoft TechNet or on the Web 


at 
http ://www.microsoft.com/TechNet/winnt/ 
Winntas/technote/Ida . 


NNTP 


Network News Transport Protocol (NNTP) is the 
standards-based protocol for server-to-server and 
client-to-server transfer of news messages, or the 
underlying protocol that makes possible public and 
private newsgroups. Outlook does not directly support 
the creation of accounts to access newsgroup servers, 
but instead relies on Outlook Express as its default 
newsreader (see Figure 1-13). 


“-Figure 1-13. Outlook relies on Outlook Express 
for reading and posting to public and private 
newsgroups. 


Microsoft Windows 2000 Server includes 
an NNTP service that lets a network 
administrator set up a news server to host 
newsgroups that can be accessed by local 
intranet or remote Internet users. 
Exchange Server allows the NNTP service 
to interface with other public or private 


news servers to pull newsgroups and 
messages via news feeds. Therefore, 
Windows 2000 Server by itself lets you set 
up your own newsgroup server to host 
your own newsgroups, and Exchange 
Server lets you host public Internet 
newsgroups. 


Using Outlook Express, you can download 
newsgroups, read messages, post messages, and 
perform other news-related tasks. Other third-party 
news applications, such as Forte’s Agent, offer 
extended capabilities. Forte’s Web site is located at 
http://www.forteinc.com. 


For a detailed explanation of setting up 
Outlook Express as a news reader, see 


Chapter 11, “Using Outlook Express for 
Public and Private Newsgroups.” 


HTML 


Hypertext Markup Language (HTML) is the protocol 
used most commonly to define and transmit Web 
pages. Several e-mail services, including Hotmail and 
Yahoo!, provide access to client mailboxes via Web 
pages and therefore make use of HTML as their 
message transfer protocol. You connect to the Web 
site and use the features and commands found there 
to view messages, send messages, and download 
attachments. 


Outlook provides enhanced HTML support, which 
means you can configure Outlook as a client for 
HTML-based mail services. As mentioned earlier in the 
chapter, Outlook includes built-in support for Hotmail. 
HTML support is purely a server-side issue, so HTML- 
based mail services other than Hotmail will have to 
provide Outlook support on their own sites. Hotmail 
accomplishes this support programmatically by means 
of Active Server Pages (ASP). 


Find Hotmail’s Outlook-based access 


The URL for Hotmail’s Outlook-based 
access is 
http://services.msn.com/svcs/hotmail/http 


mail.asp. Outlook configures the URL 
automatically when you set up a Hotmail 
account in Outlook (see Figure 1-14). You 
can’t browse to this URL through your Web 
browser to retrieve your e-mail, however. 


E-mail Accounts 


boyce_jim@hotmail.com Sever WRU 


Figure 1-14. Outlook configures the URL 
automatically for Hotmail, but you must enter the 
URL manually for other HTTP-based e-mail 
services. 


MIME 


Multipurpose Internet Mail Extensions (MIME) is a 
standard specification for defining file formats used to 
exchange e-mail, files, and other documents across 
the Internet or an intranet. Each of the many MIME 
types defines the content type of the data contained 
in the attachment. MIME maps the content to a 
specific file type and extension, allowing the e-mail 
client to pass the MIME attachment to an external 
application for processing. For example, if you receive 
a message containing a WAV file attachment, Outlook 
passes the file to the default WAV file player on your 
system. 


S/MIME 


Secure Multipurpose Internet Mail Extensions 
(S/MIME ) is a standard that allows email applications 
to send digitally signed and encrypted messages. 
S/MIME is therefore a mechanism through which 
Outlook permits you to include digital signatures with 
messages to ensure their authenticity and to encrypt 
messages to prevent unauthorized access to them. 


For a detailed discussion of using Outlook 
to send digitally signed and encrypted 
messages, as well as other security-related 


issues such as virus protection and 
security zones, see Chapter 12, “Securing 
Your System, Messages, and Identity.” 


MHTML 


MIME HTML (MHTML) represents MIME encapsulation 
of HTML documents. MHTML allows you to send and 
receive Web pages and other HTML-based documents 
and to embed images directly in the body of a 
message rather than attaching them to the message. 
See the preceding sections for an explanation of 
MIME. 


iCalendar, vCalendar, and vCard 


iCalendar, vCalendar, and vCard are Internet-based 
standards that provide a means for people to share 
calendar free/busy information and contact 
information across the Internet. The iCalendar 
standard allows calendar/scheduling applications to 
share free/busy information with other applications 
that support iCalendar. The vCalendar standard 
provides a mechanism for vCalendar-compliant 
applications to exchange meeting requests across the 
Internet. The vCard standard allows applications to 
share contact information as Internet vCards 
(electronic business cards). Outlook supports these 
standards in order to share information and interact 
with other messaging and scheduling applications 
across the Internet. 


Security Provisions in Outlook 


Outlook 2002 provides several features for 
ensuring the security of your data, messages, 
and identity. This section of the chapter presents 
a brief overview of security features in Outlook to 
give you a basic understanding of the issues 
involved, with references to other locations in the 
book that offer more detailed information on 
these topics. 


Support for Security Zones 


Like Microsoft Internet Explorer, Outlook supports 
the use of security zones. In Internet Explorer, 
security zones allow you to specify the types of 
actions that scripts can take on your system, 
based on the zone from which they were 
accessed. This prevents a malicious script from 
surreptitiously gathering information from your 
system and sending it to a Web site or doing local 
damage such as deleting files. In Internet 
Explorer, you can configure four zones, each with 
different security settings that define the tasks 
scripts can perform. For example, you can disable 
download of signed and unsigned Activex 
controls, specify how cookies are stored on your 
system, or disable scripting of Java applets. 


Because Outlook can receive HTML-based 
messages, your computer is exposed to the same 
security risks posed by Internet browsing with 
Internet Explorer. The risk is actually worse with 
e-mail, considering that you generally make a 
conscious effort to visit a Web page—e-mail 
messages, in contrast, come at you unbidden, 
therefore making your system subject to a more 
active form of attack. By supporting Internet 
Explorer’s security zones, Outlook allows you to 
specify the zone from which e-mail messages 
should be considered to have originated, letting 
you guard against HTML-based security risks. 


To learn how to apply security zones 


to protect your system, see “Using 
Security Zones”. 


Attachment and Virus Security 


You probably are aware that a virus is an 
application that infects your system and typically 
causes some type of damage. The action caused 
by a virus can be as innocuous as displaying a 
message or as damaging as deleting data from 
your hard disk. One especially insidious form of 
virus, called a worm, spreads itself automatically, 
usually by mailing itself to every contact in the 
infected system’s address book. Guarding against 
such viruses, then, is a critical issue. 


Outlook offers two levels of attachment security 
to guard against virus and worm infections, Level 
1 and Level 2. Outlook automatically blocks Level 
1 attachments, a category that includes almost 
40 file types with the potential to allow a virus to 
cause damage to your system—for example, EXE 
and VBS files. If you receive a Level 1 
attachment, Outlook displays a paper clip icon 
beside the message but does not allow you to 
open or save the attachment. When you send a 
Level 1 attachment, Outlook displays a reminder 
that other Outlook users might not be able to 
receive the attachment, giving you the option of 
converting it to a different file type (such as a ZIP 
file) before sending it. If you receive a Level 2 
attachment, Outlook allows you to save the 
attachment to disk but not open it directly. You 
can then process the file with your virus checker 
before opening it. 


Update your virus definitions often 


Your virus scanner is only as good as 
its definition file. New viruses crop up 
every day, so it’s critical that you have 
an up-to-date virus definition file and 


put in place a strategy to ensure that 
your virus definitions are always 
current. 


If you use Exchange Server to host your mailbox, 
the Exchange Server administrator can configure 
Level 1 and Level 2 attachments, adding or 
removing attachment types for each level. In 
addition, Outlook allows all users to control the 
security-level assignments for attachments. 


For a detailed discussion of Outlook’s 
virus protection, see “Protecting 


Against Viruses in Attachments”. 


Macro Viruses 


Although viruses were once found almost 
exclusively in executable files, viruses embedded 
in document macros have become very common, 
and Office documents are as subject to them as 
any. However, Outlook and other Office 
applications provide a means for you to guard 
against macro viruses. In Outlook, you can select 
one of three macro security levels, as shown in 
Figure 1-15. These security levels let you 
configure Outlook to run only signed macros from 
trusted sources (High), prompt you to choose 
whether to let the macro execute (Medium), or 
allow all macros to execute (Low). You can also 
specify which sources are trusted. 


“-Figure 1-15. Use macro security to 
prevent macro-borne viruses from affecting 
your system. 


To learn how to configure and use 
macro virus protection, see 


“Protecting Against Office Macro 
Viruses”. 


Digital Signatures 


Outlook allows you to add a certificate-based 
digital signature to a message to validate your 
identity to the message recipient. Because the 
signature is derived from a certificate that is 
issued to you and that you share with the 
recipient, the recipient can be guaranteed that 
the message originated with you, rather than 
with someone trying to impersonate your identity. 


For information about how to obtain a 
certificate and use it to digitally sign 


your outgoing messages, see 
“Protecting Messages with Digital 
Signatures”. 


In addition to signing your outgoing messages, 
you can also use secure message receipts that 
notify you that your message has been verified 
by the recipient’s system. The lack of a return 
receipt indicates that the recipient’s system did 
not validate your identity. In such a case, you can 
contact the recipient to make sure that he or she 
has a copy of your digital signature. 


Although you can configure Outlook to 
send a digital signature to a recipient, 
there is no guarantee that the 

recipient will add the digital signature 


to his or her contacts list. Until the 
recipient adds the signature, digitally 
signed messages will not be validated, 
nor will the recipient be able to read 
encrypted messages from you. 


Message Encryption 


Where the possibility of interception exists 
(whether someone intercepts your message 
before it reaches the intended recipient or 
someone else at the recipient’s end tries to read 
the message), Outlook message encryption can 
help you keep prying eyes away from sensitive 
messages. This feature also relies on your digital 
signature to encrypt the message and to allow 
the recipient to decrypt and read the message. 
Someone who receives the message without first 
having the public key portion of your certificate 
installed on his or her system will see a garbled 
message. 


To learn how to obtain a certificate 
and use it to encrypt your outgoing 


messages, as well as how to read 
encrypted messages you receive from 
others, see “Encrypting Messages”. 


Security Labels 


The security labels feature in this version of 
Outlook relies on security policies in Windows 
2000 (and is therefore supported only on clients 
running Windows 2000). Security labels let you 
add additional security information, such as 
message sensitivity, to a message header. You 
can also use security labels to restrict which 
recipients can open, forward, or send a specific 
message. Security labels therefore provide a 
quick indicator of a message’s sensitivity and 
control over the actions that others can take with 
a message. 


Understanding Outlook Service 
Options 


If you’ve been using an earlier version of 
Outlook, you’re probably familiar with Outlook’s 
service options. Earlier versions of Outlook 
supported three service options: No Mail, Internet 
Mail Only (IMO), and Corporate/Workgroup 
(C/W). Outlook 2002 changes that with a new 
unified mode. Outlook unified mode refers to the 
integration of mail services in Outlook, which 
allows you to configure and use multiple services 
in a single profile. This means that you can use 
Exchange Server, POP3, IMAP, and Hotmail 
accounts all in one profile and at the same time. 


To learn how to work with profiles and 


add multiple accounts to a profile, see 
“Understanding User Profiles”. 


Although Outlook makes a great e-mail client for 
a wide range of mail services, you might prefer to 
use only its contact management, scheduling, 
and other nonmessaging features and to use a 
different application (such as Outlook Express) 
for your messaging needs. There is no downside 
to using Outlook in this configuration, although 
you should keep in mind that certain features, 
such as integrated scheduling, rely on Outlook’s 
messaging features. If you need to take 
advantage of these features, you should switch to 
using Outlook as your primary messaging 
application. 


Options for Starting Outlook 


Office offers several options to control startup, either through command-line 
switches or other methods. You can choose to have Outlook open forms, 
turn off the preview pane, select a profile, and perform other tasks 
automatically when the program starts. The following sections describe 
some of the options you can specify. 


Normal Startup 


When you install Outlook, Setup places a Microsoft Outlook icon on the 
desktop. You can start Outlook normally by double-clicking the icon. You 
also can start Outlook by using the Start menu (choose Start, Programs, 
Microsoft Outlook). 


When Outlook starts normally and without command-line switches, it 
prompts you for the profile to use (see Figure 1-16) if more than one exists. 
The profile contains your account settings and configures Outlook for your 
e-mail servers, directory services, data files, and other Outlook settings. 


Figure 1-16. Outlook prompts you to choose a profile at startup. 


You can use multiple profiles to maintain multiple identities in Outlook. For 
example, you might use one profile for your work-related items and a 
second one for your personal items. To use an existing profile, simply 
choose it from the drop-down list in the Choose Profile dialog box and click 
OK. Click New to create a new profile (covered in Chapter 2, “Advanced 
Setup Tasks”). Click Options to expand the Choose Profile dialog box to 
include the following options (as shown in Figure 1-16): 


e Set As Default Profile. Select this option to specify the 
selected profile as the default profile, which will appear in the 
drop-down list by default in subsequent Outlook sessions. For 
example, if you maintain separate personal and work profiles, 
and your personal profile always appears in the drop-down 
list, select your work profile and choose this option to make 
the work profile the default. 


e Show All Logon Screens. Select this option to have Outlook 
prompt you for all startup options, including which address 
book to use; how to display names in the address book; the 
display name, file name, and password for your local data 
store; options for individual services such as Exchange Server 
or the Fax Mail Provider; and personal folders options. 


For an in-depth discussion of creating and configuring profiles, 
see “Understanding User Profiles”. The details of configuring 
service providers (such as for Exchange Server) are covered in 
various chapters where appropriate—for example, Chapter 6, 
“Using Internet Mail,” explains how to configure POP3 and IMAP 
accounts; and Chapter 32, “Configuring the Exchange Server 
Client,” explains how to configure Exchange Server accounts. 


Safe Mode Startup 


Safe mode is a new startup mode available in Outlook 2002 and the other 
Microsoft Office XP applications. Safe mode makes it possible for Office 
applications to automatically recover from specific errors during startup, 
such as a problem with an add-in or a corrupt registry. Safe mode allows 
Outlook to detect the problem and either correct it or bypass it by isolating 
the source. 


When Outlook starts automatically in safe mode, you see a dialog box that 
displays the source of the problem and asks whether you want to continue 
to open the program, bypassing the problem source, or try to restart the 
program again. If you direct Outlook to continue starting, the problem items 
are disabled, and you can view them in the Disabled Items dialog box (see 
Figure 1-17). To open this dialog box, choose Help, About Microsoft Outlook, 
and click Disabled Items. To enable a disabled item, select the item and 
click Enable. 


“Figure 1-17. Use the Disabled Items dialog box to review and enable 
items. 


In certain situations, you might want to force Outlook into safe mode when 
it would otherwise start normally—for example, if you want to prevent add- 
ins from loading or prevent customized toolbars or command bars from 
loading. To start Outlook (or any other Office application) in safe mode, hold 
down the Ctrl key and start the program. Outlook detects the Ctrl key and 
asks whether you want to start Outlook in safe mode. Click Yes to start in 
safe mode or No to start normally. 


If you start an application in safe mode, you will not be able to perform 
certain actions in the application. The following is a Summary (not all of 
which apply to Outlook): 


e Templates can’t be saved. 
e The last used Web page is not loaded (FrontPage). 


e Customized toolbars and command bars are not opened. 
Customizations that you make in safe mode can’t be changed. 


e The AutoCorrect list isn’t loaded, nor can changes you make 
to AutoCorrect in safe mode be saved. 


e Recovered documents are not opened automatically. 

e No smart tags are loaded, and new smart tags can’t be saved. 
e Command-line options other than /a and /n are ignored. 

e You can’t save files to the Alternate Startup Directory. 

e You can’t save preferences. 


e Additional features and programs (such as add-ins) do not 
load automatically. 


To start Outlook normally, simply shut down the program and start it again 
without pressing the Ctrl key. 


Starting Outlook Automatically 


If you’re like most Office users, you work in Outlook a majority of the time. 
Because Outlook is such an important aspect of your work day, you 
probably want it to start automatically when you log on to your computer, 
saving you the trouble of starting it later. Although you have a few options 
for starting Outlook automatically, the best solution is to place a shortcut to 
Outlook in your Startup folder. 


Follow these steps to start Outlook automatically in Windows 98 and 
Windows 2000: 


1. Close or minimize all windows on the desktop. 


2. Locate the Microsoft Outlook icon on the desktop, and drag it 
to the Start button. Don’t release the mouse button. 


3. Hold the pointer over the Start menu until it opens; then, 
while continuing to hold down the mouse button, open the 
Programs menu and then the Startup menu. 


4. Place the cursor on the Startup menu and release the mouse 
button. Windows informs you that you can’t move the item 
and asks whether you want to create a shortcut. Click Yes. 


Create a new Outlook shortcut 


If you don’t have a Microsoft Outlook icon on the desktop, you 
can use the Outlook executable to create a shortcut. Open 
Windows Explorer and browse to the folder \Program 
Files\Microsoft Office\Office10. Create a shortcut to the 
executable Outlook.exe. Note that the default syntax for the 
standard Microsoft Outlook shortcut is “C:\Program 
Files\Microsoft Office\Office10\Outlook.exe” /recycle. For an 
explanation of the /recycle switch and other Outlook startup 
options, see “Startup Switches”. 


You can use the following procedure to accomplish the same task in 
Windows 95 and Windows NT: 


1. Right-click an empty area of the taskbar, and choose 
Properties. 


2. Click the Advanced tab, and then click Advanced. 


3. In the resulting Windows Explorer window, open the Startup 
folder. 


4. Using the right mouse button, drag the Microsoft Outlook icon 
from the desktop to the Startup folder, release it, and choose 
Create Shortcut(s) Here. 


5. Close the Windows Explorer window and the taskbar dialog 
box. 


Change Outlook’s shortcut properties 


If you want to change the way Outlook starts from the shortcut 
in your Startup folder (for example, you might want to add 


command switches), you need only change the shortcut’s 
properties. For details, see “Changing the Outlook Shortcut,” 
below. 


Adding Outlook to the Quick Launch Bar 


The Quick Launch bar appears by default on the taskbar just to the right of 
the Start menu. Quick Launch, as its name implies, gives you a way to 
easily and quickly start applications—just click the application’s icon. By 
default, the Quick Launch bar includes the Show Desktop icon, as well as 
the Internet Explorer and Outlook Express icons (if Outlook Express is 
installed). Quick Launch offers easier application launching because you 
don’t have to navigate the Start menu to start an application. 


Adding a shortcut to the Quick Launch bar is easy: 
1. Minimize all windows so that you can see the desktop. 


2. Using the right mouse button, drag the Microsoft Outlook icon 
to the Quick Launch area of the taskbar and then release it. 


3. Choose Create Shortcut(s) Here. 


You can also left-drag the Microsoft Outlook icon to the Quick 
Launch bar. Windows will inform you that you can’t copy or move 
the item to that location and will ask whether you want to create 
a shortcut instead. Click Yes to create the shortcut or No to 
cancel. 


Changing the Outlook Shortcut 


Let’s assume that you’ve created a shortcut to Outlook on your Quick 
Launch bar or in another location so that you can start Outlook quickly. Why 
change the shortcut? By adding switches to the command that starts 
Outlook, you can customize the way the application starts and functions for 
the current session. You can also control Outlook’s startup window state 
(normal, minimized, maximized) through the shortcut’s properties. For 
example, you might want Outlook to start automatically when you log on, 
but you want it to start minimized. In this situation, you would create a 
shortcut to Outlook in your Startup folder and then modify the shortcut so 
that Outlook starts minimized. 


To change the properties for a shortcut, first locate the shortcut, right-click 
its icon, and choose Properties. You should see a dialog box similar to the 
one shown in Figure 1-18. 


“Figure 1-18. A typical Properties dialog box for an Outlook shortcut. 


The following list summarizes the options on the Shortcut tab of the 
Properties dialog box (some of which do not appear in Windows 9x): 


e Target Type. This read-only property specifies the type for 
the shortcut’s target, which in the example shown in Figure 1- 
18 is Application. 


e Target Location. This read-only property specifies the 
directory location of the target executable. 


e Target. This property specifies the command to execute when 
the shortcut is executed. The default Outlook command is 
“C:\Program Files\Microsoft Office\Office10\Outlook.exe” 
/recycle. The path could vary if you have installed Office in a 
different folder. The path to the executable must be enclosed 
in quotes, and any additional switches must be added to the 
right, outside the quotes. See “Startup Switches” to learn 
about additional switches you can use to start Outlook. 


e Run In Separate Memory Space. This option is selected by 
default and can’t be changed for Outlook. All 32-bit 
applications run in a separate memory space. This provides 
crash protection for other applications and for the operating 
system. 


e Run As Different User. Select this option to run Outlook in a 
different user context, which lets you start Outlook with a 
different user account from the one you used to log on to the 
computer. Windows will prompt you for the user name and 
password when you execute the shortcut. 


You also can use the RUNAS command from a 
command console (Windows NT and Windows 
2000) to start an application in a different user 
context. For additional information, see the 
following section, “Use RUNAS to Change User 
Context.” 


e Start In. This property specifies the startup directory for the 
application. 


e Shortcut Key. Use this property to assign a shortcut key to 
the shortcut, which will allow you to start Outlook by pressing 
the key combination. Simply click in the Shortcut Key box and 
press the keystroke to assign it to the shortcut. 


e Run. Use this property to specify the startup window state for 
Outlook. You can choose Normal Window, Minimized, or 
Maximized. 


e Comment. Use this property to specify an optional comment. 
The comment appears in the shortcut’s ToolTip when you rest 
the pointer over the shortcut’s icon. For example, if you use 
the Run As Different User option, you might include mention 
of that in the Comment box to help you distinguish this 
shortcut from another that launches Outlook in the default 
context. 


e Find Target. Click this button to open the folder containing 
the Outlook.exe executable file. 


e Change Icon. Click this button to change the icon assigned to 
the shortcut. By default, the icon comes from the Outlook.exe 
executable, which contains other icons you can assign to the 
shortcut. You also can use other ICO, EXE, and DLL files to 
assign icons. You'll find several additional icons in Moricons.dll 
and Shell32.dll, both located either in the Windows folder or in 
the Ysystemroot%\System32 folder (Windows NT and 
Windows 2000). 


When you're satisfied with the shortcut’s properties, click OK to close the 
dialog box. 


Use RUNAS to Change User Context 


As explained in the preceding section, you can use the option Run As 
Different User in a shortcut’s Properties dialog box to run the target 
application in a different user context from the one you used to log on to 
the system. This option is applicable on systems running Windows NT and 
Windows 2000 but not on those running Windows 9x or Windows Me. 


You can also use the RUNAS command from a command console in Windows 
NT and Windows 2000 to run a command—including Outlook—in a different 
user context. The syntax for RUNAS is 


RUNAS [/profile] [/env] [/netonly] /user:<UserName> program 
The parameters for RUNAS can be summarized as follows: 


e /profile Use this parameter to indicate the profile for the 
specified user if that profile needs to be loaded. 


e /env Use the current user environment instead of the one 
specified by the user’s profile. 


e /netonly Use this parameter if the specified user credentials 
are for remote access only. 


e /user:<UserName> Use this parameter to specify the user 
account under which you want the application to be run. 


e Program This parameter specifies the application to execute. 


Following is an example of the RUNAS command used to start Outlook in the 
Administrator context of the domain ADMIN. (Note that the command 
should be on one line on your screen.): 


RUNAS /profile /user:admin\administrator 
UWO A progran Piles yMicrosort OriLCE 
\Orricel0ourlook exe" /racyele” 


It might seem like a lot of trouble to type all that at the command prompt, 
and that’s usually the case. Although you can use RUNAS from the 
command console to run Outlook in a specific user context, it’s generally 
more useful to use RUNAS in a batch file to start Outlook in a given, 
predetermined user context. For example, you might create a batch file 
containing the sample RUNAS syntax just noted and then create a shortcut 
to that batch file so that you can execute it easily without having to type the 
command each time. 


Startup Switches 


Microsoft Outlook supports a number of command-line switches that modify 
the way the program starts and functions. Although you can issue the 
Outlook.exe command with switches from a command prompt, it’s generally 
more useful to specify switches through a shortcut, particularly if you want 
to use the same set of switches more than once. Table 1-1 lists the startup 
switches you can use to modify the way Outlook starts and functions. 


For an explanation of how to modify a shortcut to add command- 
line switches, see “Changing the Outlook Shortcut.” 


Table 1-1. Startup switches and their purposes 


Switch Purpose 


/a <filename> Open a message form with the attachment specified 
by <filename> 


/c ipm.activity Open the journal entry form by itself 


/c Open the appointment form by itself 
ipm.appointment 


/c ipm.contact Open the contact form by itself 
/c ipm.note Open the message form by itself 
/c ipm.post Open the discussion form by itself 


/c ipm.stickynote Open the note form by itself 


/c ipm.task Open the task form by itself 

/c <class> Create an item using the message class specified by 
<class> 

/CheckClient Perform a check to see whether Outlook is the 


default application for e-mail, news, and contacts 
/CleanFreeBusy Regenerate free/busy schedule data 
/CleanReminders Regenerate reminders 


/CleanSchedPlus Delete Schedule+ data from the server and enable 
free/busy data from the Outlook calendar to be 
used by Schedule+ users 


/CleanViews Restore the default Outlook views 


Switch 


/Folder 


/NoPreview 


/Profiles 


/Profile <name> 


/Recycle 


/ResetFolders 


Purpose 


Hide the Outlook Bar and folder list if displayed in 
the previous session 


Hide the preview pane and remove Preview Pane 
from the View menu 


Display the Choose Profile dialog box even if Always 
Use This Profile is selected in profile options 


Automatically use the profile specified by <name> 


Start Outlook using an existing Outlook window if 
one exists 


Restore missing folders in the default message store 


/ResetOutlookBar Rebuild the Outlook Bar 


/select <folder> 


Display the folder specified by <folder> 


Choosing a Startup View 


When you start Outlook, it defaults to using Outlook Today view (see Figure 

1-19), but you might prefer to use a different view or folder as the initial 

view. For example, if you use Outlook primarily as an e-mail client, you'll 

probably want Outlook to start in the Inbox. If you use Outlook mainly to 

manage contacts, you'll probably want it to start in the Contacts folder. 
“Figure 1-19. Outlook Today is the default view. 


To specify the view that should appear when Outlook first starts, follow 
these steps: 


1. Open Outlook and choose Tools, Options. 


2. Click the Other tab and then click Advanced Options (see 
Figure 1-20). 


“Figure 1-20. Use the Advanced Options dialog box to 
specify the startup view. 


3. From the Startup In This Folder drop-down list, choose the 
folder you want Outlook to open at startup. 


4. Click OK and then close the dialog box. 


If you switch Outlook to a different default folder and then want to restore 
Outlook Today as your default view, you can follow the previous steps to 
restore Outlook Today as the default. 


Simply select Outlook Today from the drop-down list or follow these steps 
with the Outlook Today window open: 
1. Open Outlook and open Outlook Today view. 


2. Click Customize Outlook Today at the top of the Outlook Today 
window. 


3. On the resulting page, select When Starting Go Directly To 
Outlook Today and then click Save Changes. 


Microsoft Access 2002 Inside 
Out 


Chapter 1 


Exploring What’s New in 
Access 2002 


Whether you’re a new user of Microsoft Access or 
an experienced Access database developer, you'll 
find a number of solid improvements in Access 
2002. With an eye toward enhancements both in 
form and function, the changes in Access make 
working with the interface more intuitive than 
ever; extend the reach of your data by giving you 
new options for displaying, reporting, and 
publishing; and provide more programming 
control over the functionality and appearance of 
the databases you create. 


As you'll see, Microsoft Access 2002 includes 
many new features, fixes, improvements, and 
other significant additions to functionality. This 
chapter provides a brief overview of these new 
and improved features. These features will be 
covered in more detail in their respective 
chapters. 


Office-Wide Changes 


Some new features in Access 2002 are not 
specific to Access. Instead, they are 
implementations of new features in Microsoft 
Office XP. Many of the improvements in Office XP 
are geared toward improving the user interface— 
making the features easier to get to than in prior 
versions—and extending the overall functionality 
of the applications so that you can use them 
together more intuitively, with less duplication of 
effort. Those benefits, along with features that 
help users recover from system crashes and 
preserve important files, will make your work 
with Access easier as well. 


Task Panes 


Access 2002 replaces the earlier Startup dialog 
box with the new Office-wide task pane feature, 
and it’s a welcome change. When you open 
Access, the Access task pane appears on the 
right side of the Access window, with the New File 
mode selected. The task pane displays a list of 
files you’ve worked with recently, to make it easy 
to reopen a database. The task pane also serves 
as a search pane when you click the Search 
button on the Access toolbar, and it lists available 
items to paste when you select the Clipboard 
mode by choosing Edit, Office Clipboard. 
Whatever task pane mode is selected, you can 
continue working in the Access window while you 
select the options you need from the task pane. 


You can also create a new database, data access 
page, or project; create a database from a 
template; and (a brand-new option in Access 
2002) create a database that is a copy of an 
existing database, to save you the trouble of 
importing numerous objects into the new 
database. Figure 1-1 shows the Access 2002 task 
pane as it appears when you open Access. 


“Figure 1-1. The task pane offers choices for 
opening or creating databases when Access 
is opened. 


Figure 1-1. The task pane offers choices for 
opening or creating databases when Access 
is opened. 


See Chapter 2, “Overview of Basic 


Access Features,” for more details on 
the new Access task pane. 


Smart Tags 


Smart tags are a new feature in Office XP that do 
just what their name implies—they provide tags 
with links that lead to more information about a 
specific person, company, place, or thing. They 
provide a “smart” use of data by allowing you to 
share information when you're working with 
Microsoft Word, Microsoft Excel, and Microsoft 
Internet Explorer. Access 2002 doesn’t support 
smart tags directly, but you can use the tags in 
Word or Excel data that you import to or export 
from Access database tables. 


For more information about using 
smart tags with Office XP applications, 
see Microsoft Office XP Inside Out 


(Microsoft Press, 2001), Microsoft 
Excel 2002 Inside Out (Microsoft 
Press, 2001), or Microsoft Word 2002 
Inside Out (Microsoft Press, 2001). 


Speech Recognition 


Access now supports speech recognition for both 
voice dictation and command and control 
operations, allowing users to dictate text and 
navigate Access menus by using speech and 
voice commands. Speech recognition could be a 
wonderful boon to users who have difficulty using 
a keyboard or mouse—or for those users who 
simply want to cut down on unnecessary 
keystrokes. 


For best results with speech recognition and 
dictation, you need a high-quality microphone. 
You should also be prepared to spend 
considerable time “training” the speech 
recognition software to understand your tone and 
phraseology. The effectiveness and functionality 
of speech recognition are sure to increase in 
subsequent versions of Office; for now, however, 
it’s something worth trying if you ever find 
yourself with the time to experiment. 


Speech recognition is not available in 
Design view for tables, queries, or 


diagrams in Access projects (ADP 


Access Changes 


Access has always been a great database system. As it has evolved, it has 
gained even more functionality, including new import and export formats, 
database replication, data access pages, and, most recently, PivotTables 
and PivotCharts. 


Access users will be pleased to see that Access now supports multiple 
Undo and Redo commands—a long-awaited feature. With enhanced 
PivotTables and brand-new PivotCharts, users can analyze their data from 
different perspectives in either tabular or graphical format. 


For Access programmers, the new Printer object and Printers collection 
make working with printers in code much easier. Access projects are now 
easier to work with, and Access now supports Extensible Markup 
Language (XML) as an import and export format. 


Data access pages are easier to design, and a new banded report format 
allows data levels to be expanded or collapsed. A Save To Data Access 
Page selection for forms lets you quickly create a data access page from 
an Access form. 


These changes and many others make Access even more powerful and 
easier to use. The sections that follow take a closer look at the changes 
and improvements specific to Access 2002. 


New Database Format 


Access 2002 offers a new database format designed to better handle new 
properties and features, including some that might be available in future 
versions of Access. If you don’t need to share a database with other users 
who are running earlier versions of Access, you can convert an existing 
database to the new format, or you can create a new database in Access 
2002 format, which will let you use great new features such as 
PivotCharts. 


The new database format is not the default format for new databases in 
Access 2002. Unless you manually change the Default File Format setting 
on the Advanced tab of the Options dialog box, new databases will be 
created in Access 2000 format. Figure 1-2 shows the Advanced tab of the 
Options dialog box with the default Access 2000 selection in the Default 
File Format box. 


“Figure 1-2. The Access 2000 format is still the default 

selection for new databases. 

Figure 1-2. The Access 2000 format is still the default selection for 
new databases. 


The database format is displayed in a database's title bar, in parentheses 
after the database name, as shown in Figure 1-3. 


Figure 1-3. The Access 2002 database format is indicated 
in a database’s title bar. 


Figure 1-3. The Access 2002 database format is indicated in a 
database’s title bar. 


For more information about working with databases in different 
Access versions, see Appendix A, “Setup and Installation.” 


Improvements to Compact And Repair 


The Compact And Repair utility has two components (which were separate 
utilities prior to Access 2000). The Compact component reduces database 
size by removing temporary objects, sometimes resulting in an amazing 
reduction of size—as much as 90 percent compaction. The Repair 
component repairs some database problems. 


The Compact And Repair utility has been improved so that it is able to 
repair databases containing broken forms and reports more frequently 
than before. Additionally, it appears that some earlier version databases 
with corrupted forms or reports are repaired when they are converted to 
Access 2002 format, even without using Compact And Repair. 


For more information on working with the Compact And Repair 
database utility, see Chapter 15, “Using Add-Ins to Expand 
Access Functionality.” 


Better Handling of Broken References 


Access 2002 handles broken references better than earlier versions do, 
and it provides more informative error messages when references to code 
libraries can’t be found. This makes it easier to correct broken references. 
If a back-end table is moved or renamed, however, you'll still get the 
Could not find file message. When you convert a database from an earlier 
version of Access, generally any references to Microsoft components (such 
as DAO, Word, or Outlook) will automatically be upgraded to the correct 
version. But if you have references set to non-Microsoft products, they 
might not be upgraded. Figure 1-4 shows the error message for a missing 
reference to the Find And Replace MDE file in a database converted from 
Access 97. (Find And Replace is an Access add-in.) 


“Figure 1-4. This error message offers details about a 
missing reference in a converted database. 


Figure 1-4. This error message offers details about a missing 
reference in a converted database. 


Multiple Undo and Redo 


Support for multiple Undo and Redo commands is a long-awaited Access 
feature now available in Design view for database (MDB) tables and 
queries; Access project (ADP) views, stored procedures, and functions; 
and forms, reports, data access pages, macros, and modules. The Design 
toolbars of most Access database objects now have drop-down Undo and 
Redo action lists. The Undo and Redo lists for tables, queries, forms, 
reports, and macros work just like their familiar counterparts in Microsoft 
Word. 


In modules, the Undo/Redo functionality is slightly different: Undo and 
Redo buttons are available but not action lists, so to undo multiple actions, 
you simply click the Undo button repeatedly. Figure 1-5 shows the Undo 
list for an Access form in Design view. 


“Figure 1-5. You can open the Undo drop-down list in an 
Access form in Design view. 


Figure 1-5. You can open the Undo drop-down list in an Access form 
in Design view. 


The new multiple Undo/Redo functionality has some limitations. For 
example, the list of items that can be undone isn’t saved when you switch 
between views for MDB tables, ADP views, ADP stored procedures, ADP 
functions, and data access pages. (This limitation is not surprising, given 
that these are quite different types of objects.) Linked tables don’t have 
Undo functionality because their structures can’t be modified—instead, 
they must be modified in their native databases. And Undo doesn’t work in 
PivotTables (although it does work—at least for some actions—in 
PivotCharts). 


Undo functionality has not changed for Datasheet and Form 
views; they have only a single-level Undo for changes to data. 


PivotChart and PivotTable Views 


Access 2002 forms have two new views, PivotChart and PivotTable, that 
enable you to look at your data in new ways. PivotCharts and PivotTables 
give you the flexibility to dynamically change the way your data is 
summarized and displayed by moving rows and columns and rearranging 
various elements on a form. As soon as you make the change, the 
PivotChart or PivotTable is redrawn, showing a new view of your data. 


Access 2002 provides a wizard to help you design these views, although 
PivotTables and PivotCharts are quite easy to create without a wizard, so it 
isn’t needed as much as for some other database objects. PivotTables are 
actually Excel objects embedded in Access forms, so some of the tools on 
the PivotTable and PivotChart toolbars resemble their Excel counterparts. 
Figure 1-6 shows a PivotTable listing the number of orders for products by 
country and salesperson. 


For more information on PivotCharts and PivotTables, see 
Chapter 12, “Using PivotTables and PivotCharts to Analyze 
Data.” 


Figure 1-6. This PivotTable displays orders by country and 
salesperson and allows users to swap rows and columns if 
desired. 


Figure 1-6. This PivotTable displays orders by country and 
salesperson and allows users to swap rows and columns if desired. 


New Form and Control Events 


While Access was already rich in form and control events, Access 2002 has 
a number of new events for forms and reports, which give Access 
programmers more control over the appearance of reports (in print 
preview) and make it possible to run code from even more user actions 
than before. 


Table 1-1 describes the new events available for forms. Many of these 
events apply only to PivotTable or PivotChart views. 


When the event name used in the properties sheet differs from 
the event name used in code (and listed in the Object 
Browser), Tables 1-1 and 1-2 list the code version of the event 
name in parentheses after the properties sheet version. 


Table 1-1. New form events 


Event Description 

OnUndo Occurs when a user undoes all edits to a form 

OnMouse Wheel Occurs when the user rolls the mouse wheel 

(MouseWheel) in Form, Datasheet, PivotTable, or PivotChart 
view 

BeforeScreenTip Occurs before a ScreenTip is displayed for an 


element in a PivotTable or PivotChart 


OnCmdEnabled Occurs when an Office Web component 

(CommandEnabled) determines whether the specified command is 
enabled 

OnCmdChecked Occurs when an Office Web component 

(CommandChecked) determines whether the specified command is 
checked 

OnCmdBeforeExecute Occurs before a specified command is 


(CommandBeforeExecute) ©xecuted 


OnCmdExecute Occurs after a specified command is executed 
(CommandExecute) 

OnDataChange Occurs when certain properties are changed 
(DataChange) or when certain methods are executed in 


PivotTable view 


OnDataSetChange Occurs when the data set changes in a data- 
(DataSetChange) bound PivotTable 


Event 


Description 


OnPivotTableChange Occurs when the specified PivotTable field, 

(PivotTableChange) field set, or total is added or deleted 

OnSelectionChange Occurs when the user makes a new selection 

(SelectionChange) in a PivotTable or PivotChart 

OnViewChange Occurs when the specified PivotTable or 

(ViewChange) PivotChart view is redrawn 

OnConnect Occurs when a PivotTable connects to a data 
source 

OnDisconnect Occurs when a PivotTable disconnects from a 
data source 

BeforeQuery Occurs when a PivotTable queries its data 
source 

OnQuery Occurs when a PivotTable query becomes 

(Query) necessary 

AfterLayout Occurs after all charts in a PivotChart have 
been laid out, but before they have been 
rendered 

BeforeRender Occurs before any object in a PivotChart has 
been rendered 

AfterRender Occurs after the specified object in a 
PivotChart has been rendered 

AfterFinalRender Occurs after all elements in a PivotChart have 


been rendered 


Controls have two new events that work similarly to form events of the 
same name. (See Table 1-2). 


Table 1-2. New control events 


Event Description 


OnDirty Occurs when data in a control is changed 
(Dirty) 


OnUndo Occurs when a user undoes changes to data in a control 


New Form and Report Properties and Methods 


Access offers several new properties and methods that give you increased 
control over the appearance and function of the forms and reports you 
create. These new capabilities include the following: 


e You can now create a custom icon on the taskbar for forms 
and reports as well as for the application itself (replacing the 
standard form and report icons). To create a custom icon for 
forms and reports, choose Tools, Startup to open the 
Startup dialog box, select an icon file, and check the Use As 
Form And Report Icon check box, as shown in Figure 1-7. 
Both the application and its forms and reports will use this 
custom icon on the taskbar. 


You might have to close the database (or a form 
or report) and then reopen it to display the new 
icon. This is particularly likely when you're 
changing back to the standard icon from a 
custom icon. 


#-Figure 1-7. You can specify that the application icon 
should also be used for forms and reports displayed on 
the taskbar. 


Figure 1-7. You can specify that the application icon 
should also be used for forms and reports displayed on 
the taskbar. 


e A number of properties previously available only for forms 
are now also available for reports: Modal, PopUp, 
BorderStyle, AutoResize, AutoCenter, MinMaxButtons, 
CloseButton, and Contro/Box. These properties give 
developers more control over how a report looks in print 
preview. 


e The OpenReport method now has a windowmode argument 
that lets you open a report in hidden mode or as an icon 
(minimized). 


e Both forms and reports now have a Move method that you 
can use to move and resize the form or report (like the old 
MoveSize action). This means that you can move or resize a 
form without first selecting it, which is much more 
convenient. (MoveSize works only on the currently selected 
object.) 


Shortcut Keys and Accessibility 


A number of new shortcut keys and accessibility features make Access 
much easier to use without a mouse. Table 1-3 lists these shortcut keys. 


Table 1-3. New Access shortcut keys 


Shortcut 
key 


F4 


F7 


Shift+F7 


F8 


Ctrl+Right 
Arrow key 
or 
Ctrl+period 


Ctril+Left 
Arrow key 
or 
Ctrl+comma 


Ctri+Tab 


Enter 


Description 


In Design view, opens the properties sheet 


When a form or report is open in Design view (with the 

focus on the Design view window or a properties sheet), 
takes the user to the code window, open to the form or 

report code module 


When the focus is on a properties sheet in Design view, 
moves the focus back to the design area without closing 
the properties sheet 


In a form or report in Design view, opens the field list; in a 
data access page in Design view, toggles the field list on or 
off 


Moves to the next view when you're working with tables, 
queries, forms, reports, pages, views, and stored 
procedures 


Moves to the previous view when you’re working with 
tables, queries, forms, reports, pages, views, and stored 
procedures 


Navigates from a form or report section to a subsection 


In Design view, with a field selected in the field list in a 
form or report, adds the selected field to the form or report 
design surface 


For more information on working with forms in Design view, 
see Chapter 5, “Creating Forms for Entering, Editing, and 
Viewing Data.” 


Interface Enhancements 


Even if you’re comfortable with the Access interface and didn’t see any 
need for enhancements, you'll find that the following changes to the user 
interface in Access 2002 make it easier for you to view your information 
the way you want to see it and to get the help you need without leaving 
the Access windows: 


e Two new zoom powers, 1000% and 500%, have been added 
to the Zoom option for Print Preview. 


e The Access menu bar now provides an Ask A Question box, 
where you can quickly enter a word or phrase to search for 
in Help. The drop-down list displays the previous few 
questions, so you can ask the same question again if you 
need to. After entering a word or phrase and pressing Enter, 
you'll see a list of appropriate Help topics to choose from. 
Figure 1-8 shows the list of topics provided after the term 
PivotTable is entered. 


Figure 1-8. Type a phrase into the Ask A Question box 
to view a list of relevant Help topics. 


Figure 1-8. Type a phrase into the Ask A Question box 
to view a list of relevant Help topics. 


e You can now open a subform in its own window either by 
right-clicking the subform and choosing Subform In New 
Window on the shortcut menu or by selecting the subform 
and choosing View, Subform In New Window. (These 
improvements also apply to subreports.) This is not so much 
a new feature as a restoration of a much-missed feature in 
earlier versions of Access. 


Conversion Error Logging 


When you're converting an Access 95, Access 97, or Access 2000 

database to either Access 2000 or Access 2002 format, any errors that 
occur during the conversion are logged to a table. You'll find this table 
helpful when you need to track down and fix any conversion problems. 


Figure 1-9 shows the Conversion Errors table for an Access 97 database 
converted to Access 2000 format (which, as mentioned, is the default 
format in Access 2002). 


“Figure 1-9. The Conversion Errors table helps you find 
and fix any conversion errors. 


Figure 1-9. The Conversion Errors table helps you find and fix any 
conversion errors. 


Expanded Programmability 


Access 2002 provides several new properties and methods that let Access 
programmers obtain information about database objects, perform 
housekeeping chores, add or remove items in a list, and more, including 
the following: 


e You can now pass a database password when you open a 
database programmatically by using the new bstrPassword 
parameter for the OpenCurrentDatabase method of the 
Access Application object. 


e You can now obtain the DateCreated and DateModified 
properties for any Access object by using the new 
DateCreated and DateModified properties of the 
AccessObject object. For example, the following expression 
yields the date on which the frmColors form was last 
modified: 


CurrentProject.AllForms ("frmColors") .DateModified 


e Combo boxes and list boxes now have AddItem and 
Removeltem methods, making them work more like these 
controls do on Microsoft Visual Basic and Visual Basic for 
Applications (VBA) forms. These methods can be used only 
when a combo box’s or list box's RowSourceType property is 
set to Value List. 


See Chapter 6, “Working with Form Controls,” for 
an example of code that uses the AddItem and 
Removeltem methods. 


e The Access Application object now has a CompactRepair 
method to use in code. This method corresponds to the 
Compact And Repair Database command. (Choose Tools, 
Database Utilities. ) 


e The Access Application object has a new 
ConvertAccessProject method that you can use to convert an 
Access project from one Access version to another. 


e The Access Application object has a new BrokenReference 
property. This is a Boolean property that tells you whether a 
database has any broken references. (You still have to 
iterate through the References collection to locate and fix 
any broken references.) 


e When a module is edited and saved without compiling, only 
the changed module is saved, and then the entire project is 
saved when the project is compiled. This can save a good 
deal of compile time, particularly in large databases. 


Printer Object and Printers Collection 


The Access object model has a new Printer object and a Printers 
collection, making it much easier to work with printers in code than the 
old PrtDevMode, PrtDevNames, and PrtMip properties of reports, which 
were hard to understand and use. The Printer object is far more intuitive— 
it has properties corresponding to the options in the Page Setup dialog 
box. 


The Printer object and Printers collection let you print reports on a specific 
printer, using the appropriate paper sizes and trays and special features 
such as duplexing, without having to first open the report and save it with 
that printer selected. 


The Printer object and Printers collection are described in more 
detail in Chapter 20, “Customizing Your Database Using VBA 
Code.” 


Better Support of Multilingual Text and Graphics 


Access 2002 adds significant new support for meeting the challenges of 
working in multiple languages, including the following: 


e If you install the required fonts, multilingual text (English, 
Asian, and complex script) is displayed better in tables, 
forms, and reports. 


e You can now output Access objects to Unicode RTF, HTML, 
text, and Excel file formats, thereby preserving multilingual 
text. 


e A new Spelling tab has been added to the Options dialog box 
(accessed by choosing Tools, Options), allowing you to select 
a number of languages and other language-specific options. 
Figure 1-10 shows the Spelling tab with the Canadian French 
dictionary language selected. 


Figure 1-10. The new Spelling tab offers a wide 
selection of language-related options. 


Figure 1-10. The new Spelling tab offers a wide 
selection of language-related options. 


e A new International tab, shown in Figure 1-11, has been 
added to the Options dialog box, allowing you to select 
reading directions and other options for complex script 
languages. 


#-Figure 1-11. The International tab of the Options 
dialog box provides support for languages with complex 
scripts. 


Figure 1-11. The International tab of the Options 
dialog box provides support for languages with complex 
scripts. 


Grouped line manipulation has been improved for Asian 
versions of Access. You can group a set of table-like lines, 
and then move individual lines by pressing Alt and an arrow 
key. 


The IMEMode property of the ComboBox, ListBox, and 
TextBox objects is now available to all users at all times, if 
the supported Input Method Editors (IMEs) are installed. 
This property allows you to set properties related to various 
Asian languages, such as kanji conversion, full-pitch or half- 
pitch hiragana, and katakana. 


ADP Project Changes 


A number of new features make it easier to work with Access projects, the ADP 
files that are the Access front end to data in SQL Server tables. Some of these 
new features include a new version of the Microsoft Database Engine that 
allows you to work with projects even if you don’t have SQL Server, as well as 
many enhancements to project front ends. 


For more information about working with Access projects, see 
Chapter 19, “Creating Access Projects,” and Appendix E, “Upsizing 
to SQL Server.” 


SQL Server 2000 Desktop Engine 


SQL Server 2000 Desktop Engine (formerly the Microsoft Database Engine, or 
MSDE) is included with SQL Server 2000 and is provided on the Microsoft Office 
CD in the MSDE2000 folder. To install MSDE, double-click Setup.exe in this 
folder. Figure 1-12 shows the folder on the Office CD with Setup.exe selected. 
With MSDE installed, you can create projects even if you don’t have the full 
version of SQL Server installed. 


Figure 1-12. You can install MSDE from the MSDE2000 
folder on the Office CD. 


Figure 1-12. You can install MSDE from the MSDE2000 folder on the 
Office CD. 


The SQL Server 2000 Desktop Engine setup includes a new version of the 
Microsoft Data Access Components (MDAC)—version 2.6. These components 
help you integrate data from a wide variety of sources and include Microsoft 
ActiveX Data Objects (ADO), OLE DB, and Open Database Connectivity 
(ODBC). 


For more information about the SQL Server 2000 Desktop Engine 
and how it compares with SQL Server, see Chapter 3, “Introduction 
to Database Design.” 


Running Access Projects Against SQL Server 2000 


Access 2002 and SQL Server 2000 work together more tightly than ever 
before. Here are some of the highlights: 


Using SQL Server functions. SQL Server 2000 functions provide the same 
functionality as Jet parameterized queries. Use functions to replace stored 
procedures that returned a single result set, or any place a view was used. You 
can use these functions as record and row sources for forms, reports, data 
access pages, combo boxes, and other objects. 


Extended property support. SQL Server 2000 now provides support for 
extended properties, letting you set up lookup relationships, validation text, 
formatting, subdatasheets, and other features of tables, views, and functions, 
just as with MDB files. 


Updatable views. You can now update values in a view or function directly by 
using a datasheet. Any update that can be performed using an MDB query can 
now be performed using a SQL Server view or function. 


Linked Table Wizard. The Access Linked Table Wizard can now be used to 
create tables linked to a SQL Server database, an MDB file, or other OLE DB 
sources. 


Copy Database File and Transfer Database support. Access 2002 allows 
you to attach SQL Server MDF files to your local server. You can now use the 
Copy Database File command against the current ADP database on a local 
server to create a copy of the MDF file, so that you can move it to a different 
server. You can use the Transfer Database command to transfer a database 
from one server to another, even if you’re not working on your local server. To 
access these commands, choose Tools, Database Utilities. 


Running ADP Projects Against All Versions of SQL Server 


If you’re running an earlier version of SQL Server, you'll also see some 
changes, as follows: 


Batch updates in a form. The new BatchUpdates property on the Data tab of 
a form's properties sheet allows you to tell Access to batch all data entryand 
send it to the server when the user navigates off the form, closes the form, or 
chooses Records, Save All Records. You can also create a button that 
programmatically saves or undoes all records, thereby eliminating the need to 
create unbound forms that gather all the data and commit changes at one 
time. 


Better input parameter support for functions and stored procedures. 
You can now specify parameter values for a record source, just as with an 
MDB-based form or report. For example, if the following SQL statement is used 
as a report’s record source, when the report is run, a parameter dialog box will 
appear, asking for the Country value: 


SELECT * FROM tblCustomers 
WHERE Country = @ [Enter a country for the Customers repo: 


This new feature gives you more flexibility, eliminating the need to create 
different record sources with specific filters. 


Password security. The new Set Login Password command (choose Tools, 
Security) allows you to change your logon password for the current logon 
specified for the ADP connection, without having to log off first. 


SQL replication and Security dialog boxes removed. Because of security 
changes in SQL Server, Access no longer offers SQL replication and security. 
You must use SQL Server 2000 Enterprise Manager to implement replication 
and security for your database. 


Using Recordsets 


You can now use recordsets (sets of records that behave as objects) as row 
sources for combo boxes and lists, which gives you another option for 
providing lists of items to select. Additionally, disconnected recordsets can be 
used for all ADP objects that have RecordSource and RowSource properties. 


XML and Access 


Significant XML support has been added to 
Access, both in the core product and in data 
access pages. XML extends HTML to deal with 
structured data from many applications and 
allows the creation of custom data formats for 
special situations. Some of the new features are 
described briefly in this section. 


XML Import/Export 


You can create XML data or schema documents 
from Jet or SQL Server structures and data, or 
you can use XML data or schema documents to 
import (either programmatically or through the 
export user interface) data or structure into 
either SQL Server or Jet. 


Import User Interface 


The Import dialog box (choose File, Get External 
Data, Import) now provides an XML Documents 
selection, which allows you to import schema and 
data documents into either SQL Server or Jet. 
Figure 1-13 shows the XML Documents selection. 


“-Figure 1-13. You can import an XML 
document into either SQL Server or Jet. 


Figure 1-13. You can import an XML 
document into either SQL Server or Jet. 


Export User Interface 


The Access table/query/report/form export 
feature (choose File, Export with a table, query, 
report, or form selected) now includes an XML 
Documents Save As Type selection, as shown in 
Figure 1-14. 


“-Figure 1-14. You can export an Access 
database object to an XML document. 


Figure 1-14. You can export an Access 
database object to an XML document. 


XSL Transformations and Presentations 


With Extensible Stylesheet Language (XSL), you 
can create your own style sheets for formatting 
XML data. You can create your own XSL data 
transformations for changing the data document 
format, and you can also create your own 
presentation formats and add them to the drop- 
down lists within the Export and Import dialog 
boxes by adding a metaheader to your XSL 
document. 


Data Access Page Changes 


Data access pages give you the means of 
publishing pages on the Web that work with data 
in Access or SQL Server databases. Data access 
pages were first introduced in Access 2000, but 
they weren't very easy to use. Access 2002 
provides many enhancements that make it much 
easier to create and modify data access pages. In 
this section, we'll look briefly at each of these 
enhancements. 


See Chapter 18, “Working with Data 


Access Pages,” for more details on the 
changes to data access pages. 


Data Access Page Designer 


When you create a new data access page (or 
open an existing data access page in Design 
view), you'll find a host of improvements and new 
features, including the following: 


e The Designer now supports 
multilevel Undo and Redo. 


Microsoft Internet Explorer 5.5 and 
6.0 users have both keyboard and 
mouse multiselect support for 
applying sizing, horizontal and 
vertical spacing, alignment, and 
property settings to data access 
pages. 


Internet Explorer 5.5 and 6.0 users 
can also see the control’s actual 
size while they're resizing it. Snap- 
to-grid support has been improved, 
and the Size To Fit command sizes 
the control to the size of its 
content. 


Multiselect drag-and-drop is now 
available from the field list. 


Banded (grouped) pages have more 
functionality, including intuitive 
drop zones, automatic indenting of 
group levels, a group-level 
Properties drop-down option on 
each group’s shortcut menu, and 
automatic formatting for caption 
and footer properties. 


Banded pages are updatable. You 
can control updating by using the 


group-level properties 
AllowAdditions, AllowDeletions, and 
AllowEdits. 


The AutoSum feature makes it easy 
to create aggregates by selecting a 
control and clicking AutoSum. 


Controls, sections, group-level 
properties, and page properties 
now have shortcut menus. 


You can create customized 
navigation controls by applying the 
class name of the control to most 
HTML element types. For example, 
you can turn a label into a Next 
navigation control by appending 
MsoNavNext to the class name of 
the label. 


The Layout Wizard now supports 
Tabular, PivotChart, and 
Spreadsheet options. 


You can now bind the Spreadsheet 
control to data. 


The Designer now inherits extended 
properties from both Jet and SQL 
Server 2000 databases so that 
lookups are dropped as lookups 
instead of as static values, and 
label properties are set 
appropriately. 


Improved Properties Sheet 


Data access page properties are now easier to 
use because of better organization of the 
properties sheet and several new builders that 
help you select the appropriate value for a 
property. You'll find the following enhancements: 


e Only relevant properties are shown 
for each element type. Some 
unneeded properties have been 
removed, and a richer set of 
applicable properties are exposed. 


e You can set interior properties of 
ActiveX controls through the 
properties sheet. 


e The properties sheet supports 
builders, including Page Connection, 
Color Picker, and Zoom. 


e You can turn on a record selector by 
right-clicking a section, choosing 
Group Level Properties on the 
shortcut menu, and then setting the 
RecordSelector property to True. 
(The default setting is False, so the 
record selector isn’t displayed for 
that group.) The record selector is a 
vertical band on the left side of the 
data access page. However, unlike 
with Access forms, you can’t click 
the record selector to delete a 
record from a data access page 
after selecting it because the Delete 
Record option on the Edit menu is 
disabled for data access pages. 


e All pages use alternate row colors 
by default, but you can change this 
setting in the Group Level 
properties sheet. 


Deploying Data Access Pages 


Access 2002 includes several new features that 
make it easier to deploy your data access pages 
on the Web after you’ve designed them, as 
follows: 


e Access 2000 data access pages will 
be converted to Access 2002 format 
when they're opened in Design view 
in an Access 2002 database. 
Solutions created using Access 
2000 will still work after you install 
the new Office Web Components. 


e A page-level script notifies the user 
with appropriate messages when 
the correct browser or Office Web 
Components are not present. 


e Users can set relative paths to 
Access databases, although only 
when the page is opened through 
the file system, not through HTTP. 


e Developers can point all pages ina 
solution to Office Data Connection 
(ODC) or Universal Data Link (UDL) 
files by using the page’s 
ConnectionFile property. When the 
page is loaded, it retrieves the 
connection file and sets the 
connection specified in the file. Set 
the default connection for all new 
pages on the Pages tab of the 
Options dialog box, by choosing 
Tools, Options. 


e Developers can set the default 
pages folder on the Pages tab of the 
Options dialog box. 


e The page’s link property is exposed 
both programmatically and in the 
Page Properties dialog box in the 
Database window. 


e With the OfflineCDF, OfflineSource, 
and OfflineType properties, you can 
build applications that work with 
SQL Server and Jet replication or 
XMLdata files. This feature is fully 
integrated with the Internet 
Explorer offline synchronization 
model. 


See Microsoft FrontPage 2002 Inside 
Out (Microsoft Press, 2001) for more 
information about deploying Access 
data on the Web using Microsoft 


FrontPage. FrontPage has its own set 
of tools for this purpose, some of them 
more powerful than the tools in 
Access. 


Other DAP Improvements 


There are a few other miscellaneous changes 
related to data access pages that make them 
easier to work with, including a Data Access Page 
selection in the Save As dialog box for forms, 
some features that allow you to link to XML 
documents, and a number of Data Source control 
attributes. 


Working Off Line 


You can prepare a data access page for offline 
work by setting a number of page properties, all 
available through the object model, or by opening 
the data access page in Internet Explorer and 
selecting Make Available Offline in the Add 
Favorite dialog box. For details on working with 
data access pages off line, see Chapter 18, 
“Working with Data Access Pages.” 


Saving Forms and Reports as Data 
Access Pages 


You can now Save forms and reports as data 
access pages by selecting Data Access Page in 
the Save As dialog box, as shown in Figure 1-15. 
Saving a form as a data access page saves a lot 
of time when you want the page to look just like 
an existing form. You don’t have to design the 
data access page from scratch; instead, you can 
create it from a form you've already created. 


“-Figure 1-15. You can save a form as a data 
access page and save the time it takes to 
design the page from scratch. 


Figure 1-15. You can save a form as a data 
access page and save the time it takes to 


design the page from scratch. 


Creating an XML Data Document 


You can create an XML document or XML data 
island (XML data embedded in HTML code) from a 


data access page by using the ExportXML 
method. 


Binding Data to an XML Data Document 


You can set the properties described in Table 1-4 
either on the page’s properties sheet or through 


code at runtime. 
Table 1-4. XML data binding properties 


Property Value 


XMLLocation dscXMLDataEmbedded 


dscXMLDataFile 


XMLDataTarget dscXMLDataEmbedded 


Description 


Data 
appears on 
the page 
as a data 
island. 


Data is an 
XML data 
document. 


Sets the 
ID of the 
data 
island. 


Property Value Description 


dscXMLDataFile Sets the 
UNC, URL, 
or absolute 
path and 
name of 
the XML 
document. 


UseXMLData True Connection 
to the live 
source is 
dropped 
and the 
data 
access 
page is 
bound to 
the XML 
source. 


Binding to an Arbitrary Recordset 


You can now bind data access pages to any 
arbitrary recordset. Use the SetRootRecordset 
method to bind to disconnected and persisted 
recordsets. 


New Data Source Control Events 


The Data Source control is used behind the 
scenes to bind data access pages to a data 
source. Unlike other controls, it has no 
representation in the interface; you program it in 
VBA code. This control now has several new 


events that give you more places to respond to 


user actions. 


Table 1-5 lists the new Data Source control 


events. 


Table 1-5. New Data Source control events 


Event 


AfterDelete 


AfterInsert 


AfterUpdate 


BeforeDelete 


BeforeInsert 


Before 


Dirty 


Description 


Occurs after a record deletion has 
been confirmed and the record 
has actually been deleted, or after 
the deletion is canceled 


Occurs after a new record is 
added to the recordset 


Occurs after a record is updated 
with changed data or after the 
record loses focus 


Occurs before the record is 
actually deleted 


Occurs when the first character is 
entered into a new record, but 
before the record is actually 
added to the recordset 


Update Occurs before a record is 
updated with changed data or 
before the record loses focus 


Occurs when the contents of a 
record change, and before the 
BeforeUpdate event 


Event Description 


Focus 


Page-level event that occurs when 
a section receives the focus (as 
opposed to the Current event, a 
recordset-level event that occurs 
when the record changes in the 
underlying recordset) 


RecordExit Occurs after all update events 
have fired and before the record 
loses currency 


New Data Source Control Constants 


Table 1-6 lists the new Data Source control 
constants. These constants are used to set the 
Data Source control properties or are returned by 
its events, enabling you to take different actions 
in code depending on what choice a user makes 
in the interface. 


Table 1-6. New Data Source control constants 


Constant Description 


dscDeleteOK Indicates that delete 
operation succeeded 


dscDeleteCancel Indicates that delete 
operation was canceled 
through code 


Constant Description 


dscDeleteUserCancel Indicates that delete 
operation was canceled 
by the user 


dscDisplayAlertContinue Determines whether a 
custom error message 
Or no error message is 
displayed 


dscDataAlertDisplay Indicates that standard 
error dialog box should 
be displayed 


dscRefreshData Causes the Refresh 
method to refresh the 
data cache while 
maintaining the 
current connection 


New Data Source Control Function 


The new EuroConvert function converts a number 
to euros or from euros to another currency. You 
can also use this function to convert a number 
from one currency to another by using the euro 
as an intermediate value. 


Updating Data Access Pages 


Banded data access pages are now updatable, 
and child recordsets are fully updatable, enabling 
you to add, modify, and delete records from the 
child recordsets assigned to each band of data. 


The Group Level properties sheet allows you to 
control whether the child recordsets are 
updatable by setting the following properties: 


e AllowEdits 
e AllowAdditions 


e AllowDeletes 


These properties are set to False by default for 
converted DAPs. DAPs created in the interface 
have these properties set to True. 


